How do I require the sandbox?

I don't want users to accidentally disable the sandbox by leaving user namespaces disabled in their kernel, or through other mechanisms. I want to be able to trust their build results. How do I force the sandbox on through flags?

(The easiest way I've found to test this is to move /bin/true somewhere else momentarily and verify that Bazel refuses to build anything)

Solution

You can specify an explicit Spawn strategy instead of relying on the "pick the best available" algorithm:

bazel build --spawn_strategy=linux-sandbox

This will let builds fail with an error if user namespaces are not available. On macOS the name of the strategy is "darwin-sandbox".

If you're building Java code, you might also want to either enable Worker sandboxing (--worker_sandboxing) or disable the persistent worker feature and compile Java inside the stricter sandbox (--strategy=Javac=linux-sandbox).

Building Go with Bazel could not resolve a repository
Is it possible to change the index URL for fetching `rules_python` itself in bazel?
Bazel - How do I troubleshoot a cmake failure? Foreign Cc - CMake:not all outputs were created or valid
Is there a migration path from Maven to Bazel?
How does Bazel fetch maven parent packages in parallel?
How to merge coverage reports (.dat) from multiple tests in Bazel
Buildfile not found in gnumake_src for rules_foreign_cc
Bazel: Mixing a Linux remote execution platform with a Mac OS local platform
How to use bazel to download amzn2-core packages
bazel c++ program which used JNI, how to deal with the path of the .jar with relative path
How to configure Bazel/Google Test to resolve `bazel test` linker error
Gradle vs Bazel performance of builds
How to run multiple Bazel Query operations in parallel?
How to do verify that some code doesn't compile with Bazel?
Why won't Bazel creating symlinks during the build process?
How to specify number of times a test should be run in BUILD file
Bazel build tflite-micro: Install third-party packages to build my application
Using select when defining a dict in Bazel
Bazel | How to copy resources to build directory?
How do I pass arguments to Bazel java wrapper?
Instantiate different classes according to different compilation flag of same header file in c++
How do I provide a py_binary's runfiles to a C toolchain in Bazel
Bazel make variables substitution
bazel run *_deploy.jar fails with "cannot execute binary file"
What is the difference between a workspace and repository in Bazel
Issue Running Python Application with Bazel - ImportError with NumPy C-Extensions
NextJS Bazel 7 Module not found tsconfig.json
Bazel: pass a build time variable to C++ program
pkg_rules problems on Windows 10
Can't load image tarball into Docker because Docker wants root user but Bazel wants non-root user