All headers under /usr/include available even with sandboxing?

405 views
Skip to first unread message

glin...@gmail.com

unread,
Feb 1, 2016, 1:53:59 PM2/1/16
to bazel-discuss
It appears that even when building with sandbox enabled, bazel will pick up any headers under /usr/include? When reading http://bazel.io/blog/2015/09/11/sandboxing.html, it does look like this is the case, I just wanted to double check.

For example, I have boost installed locally, and this compiles happily on ubuntu 14.04:
test.cc:
#include <boost/function.hpp>
int main() { return 0; }

BUILD:
cc_binary(name="test", srcs=["test.cc"])

Thanks,
Gary

Kristina Chodorow

unread,
Feb 1, 2016, 2:00:34 PM2/1/16
to glin...@gmail.com, bazel-discuss
Yes, this is set up in the CROSSTOOL file (https://github.com/bazelbuild/bazel/blob/master/tools/cpp/CROSSTOOL#L95-L97).  You could change that if you wanted.


--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/9d91bc7d-fc54-4288-945e-c89563f56a25%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

James Philbin

unread,
Feb 1, 2016, 2:39:08 PM2/1/16
to bazel-discuss, glin...@gmail.com
Wait, all of /usr/include is picked up? Doesn't this significantly reduce the benefits of sandboxing wrt local system dependencies?

Is there some way of specifying default includes like 'stdio.h', etc, rather than mounting the whole directory?

Thanks,
James

Brian Silverman

unread,
Feb 2, 2016, 10:06:17 AM2/2/16
to James Philbin, bazel-discuss, Gary Linscott
Yes, it does mean the sandbox won't prevent you from using libraries pre-installed on the system that aren't specified as dependencies. Doing anything else is hard because the standard headers are in different places on different systems/versions/compilers (there are already various people who want /usr/local/include and other places included in the sandbox because their systems rely on those when building code).

My solution is to use a non-system compiler with non-system include paths. That generally means using -nostdinc and specifying them all manually so they come from a different directory which doesn't have any other libraries installed in it. Even though everything in /usr/include is included in the sandbox, the compiler doesn't look at it and Bazel will flag it as an error if it does for some reason. The wiki page I recently created about building with a custom toolchain is a guide to setting this up if you want to try it.

To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/5e0f9a28-860c-45bb-82ab-b5082644f4e6%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages