I want to hide all irrelevant source files from build actions because there are some tools that explore host file system, for example, node searches node_modules directory from working directory to root /. But linux-sandbox doesn't seem to hide host files outside the sandboxes:
genrule(
name = "foo",
outs = ["x"],
cmd = "ls ~ | tee $@",
)
Outputs:
<my home files>
Target //:foo up-to-date:
bazel-bin/x
INFO: Elapsed time: 0.088s, Critical Path: 0.01s
INFO: 2 processes: 1 internal, 1 linux-sandbox.
According to the official doc, linux-sandbox makes host files read-only but doesn't hide them.
Is there any way to hide host files?
One can make a host path inaccessible in the linux sandbox with --sandbox_block_path.
It's also possible to remove all host directories from the sandbox except ones explicitly added with --sandbox_add_mount_pair by employing the --experimental_use_hermetic_linux_sandbox flag.