From 7ca75c7491719dbcc1c84bd5b153d119e49b679e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Liberal=20Fern=C3=A1ndez?= <plf@google.com>
Date: Fri, 17 May 2024 17:30:39 +0200
Subject: [PATCH 1/2] Fix sandbox_base hermetic tmp

---
 .../devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
index d4b9a09f917a48..d2b86cc533d980 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
@@ -175,8 +175,10 @@ private ImmutableSet<Path> collectPathsToMountUnderHermeticTmp(CommandEnvironmen
     // into the sandbox when using hermetic /tmp. We attempt to collect an over-approximation of
     // these paths, as the main goal of hermetic /tmp is to avoid inheriting any direct
     // or well-known children of /tmp from the host.
+    // TODO(bazel-team): Review all flags whose path may have to be considered here.
     return Stream.concat(
-            Stream.of(cmdEnv.getOutputBase()),
+            Stream.concat(Stream.of(sandboxBase),
+                Stream.of(cmdEnv.getOutputBase())),
             cmdEnv.getPackageLocator().getPathEntries().stream().map(Root::asPath))
         .filter(p -> p.startsWith(slashTmp))
         // For any path /tmp/dir1/dir2 we encounter, we instead mount /tmp/dir1 (first two

From e7204fc1933682ae13ff93c2dc219384bed9b8be Mon Sep 17 00:00:00 2001
From: oquenchil <23365806+oquenchil@users.noreply.github.com>
Date: Mon, 20 May 2024 09:49:29 +0200
Subject: [PATCH 2/2] Update
 src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java

Co-authored-by: Fabian Meumertzheim <fabian@meumertzhe.im>
---
 .../devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
index d2b86cc533d980..43c77ecc891804 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
@@ -177,8 +177,7 @@ private ImmutableSet<Path> collectPathsToMountUnderHermeticTmp(CommandEnvironmen
     // or well-known children of /tmp from the host.
     // TODO(bazel-team): Review all flags whose path may have to be considered here.
     return Stream.concat(
-            Stream.concat(Stream.of(sandboxBase),
-                Stream.of(cmdEnv.getOutputBase())),
+            Stream.of(sandboxBase, cmdEnv.getOutputBase()),
             cmdEnv.getPackageLocator().getPathEntries().stream().map(Root::asPath))
         .filter(p -> p.startsWith(slashTmp))
         // For any path /tmp/dir1/dir2 we encounter, we instead mount /tmp/dir1 (first two