third_party/nix/pkgs/bazel_8: fix linux-sandbox Looks like this never actually worked on NixOS due to a hardcoded /bin/true. Change-Id: I6a6a6964bf6951592e92bfcd16b309a8d46e123d Reviewed-on: https://review.monogon.dev/c/monogon/+/4448 Tested-by: Jenkins CI Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

commit: 5a4037ccda447a1346c905287499bd069a408f8b [log] [tgz]
author: Leopold Schabel <leo@monogon.tech> Mon Jul 21 18:27:05 2025 +0200
committer: Leopold Schabel <leo@monogon.tech> Tue Jul 22 15:50:31 2025 +0000
tree: 22948091ba54cfad137587abef794930d03aa25a
parent: 9e964888dbac4ba94a1925deb1765d478b3258ff [diff]
diff --git a/third_party/nix/pkgs/bazel_8/package.nix b/third_party/nix/pkgs/bazel_8/package.nix
index 7a27697..ab05384 100644
--- a/third_party/nix/pkgs/bazel_8/package.nix
+++ b/third_party/nix/pkgs/bazel_8/package.nix

@@ -221,6 +221,12 @@
       usrBinEnv = "${coreutils}/bin/env";
     })
 
+    # TODO: upstream to nixpkgs
+    # Bazel tries to run "/bin/true" to test if linux-sandbox works.
+    (replaceVars ./patches/linux_sandbox.patch {
+      binTrue = "${coreutils}/bin/true";
+    })
+
     # Provide default JRE for Bazel process by setting --server_javabase=
     # in a new default system bazelrc file
     (replaceVars ./patches/bazel_rc.patch {

diff --git a/third_party/nix/pkgs/bazel_8/patches/linux_sandbox.patch b/third_party/nix/pkgs/bazel_8/patches/linux_sandbox.patch
new file mode 100644
index 0000000..033f06a
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/linux_sandbox.patch

@@ -0,0 +1,13 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
+index dc188b4ce2..46d338c9af 100644
+--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
++++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
+@@ -106,7 +106,7 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
+     ImmutableList<String> linuxSandboxArgv =
+         LinuxSandboxCommandLineBuilder.commandLineBuilder(linuxSandbox)
+             .setTimeout(options.getLocalSigkillGraceSeconds())
+-            .buildForCommand(ImmutableList.of("/bin/true"));
++            .buildForCommand(ImmutableList.of("@binTrue@"));
+     ImmutableMap<String, String> env = ImmutableMap.of();
+     Path execRoot = cmdEnv.getExecRoot();
+     File cwd = execRoot.getPathFile();
commit	5a4037ccda447a1346c905287499bd069a408f8b	[log] [tgz]
author	Leopold Schabel <leo@monogon.tech>	Mon Jul 21 18:27:05 2025 +0200
committer	Leopold Schabel <leo@monogon.tech>	Tue Jul 22 15:50:31 2025 +0000
tree	22948091ba54cfad137587abef794930d03aa25a
parent	9e964888dbac4ba94a1925deb1765d478b3258ff [diff]