Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can't bind to "localhost" with sandboxing on OS X #5206

Closed
talya opened this issue May 16, 2018 · 14 comments
Closed

can't bind to "localhost" with sandboxing on OS X #5206

talya opened this issue May 16, 2018 · 14 comments
Assignees

Comments

@talya
Copy link

talya commented May 16, 2018

Description of the problem / feature request:

new InetSocketAddress("localhost", 0).bind()
fails on OS X when ran with sandboxing
it passes without sandboxing or with sandboxing on docker-on-mac

Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

https://github.com/talya/bazel-localhost-resolving

Environment info

  • OS X Sierra (10.12)
  • bazel 0.13.0

Have you found anything relevant by searching the web?

related to #2669 and seems that relevant code is DarwinSandboxedSpawnRunner (which was last changed to allow the unix-socket in #3444):

        out.println("(deny network*)");
        out.println("(allow network* (local ip \"localhost:*\"))");
        out.println("(allow network* (remote ip \"localhost:*\"))");
        out.println("(allow network* (remote unix-socket))");
      }```

@talya
Copy link
Author

talya commented May 16, 2018

@buchgr , could you take a look?

@ittaiz fyi

@buchgr
Copy link
Contributor

buchgr commented May 16, 2018

I am not sure I understand. You added the block-network tag to your target. So it's expected that the network doesn't work?

@talya
Copy link
Author

talya commented May 16, 2018

external network shouldn't work yes, but binding to local host (INetAddress 'localhost/127.0.0.1:0') (with 'block-network'):
works on linux
works on docker-on-mac
does NOT work on mac

@buchgr
Copy link
Contributor

buchgr commented May 16, 2018

oh i see. does it work to bind to an arbitrary free port?

@talya
Copy link
Author

talya commented May 16, 2018

iiuc using port 0 does what you mean?
this is the code from the sample repo:

String host = "localhost";
InetSocketAddress address = new InetSocketAddress(host, 0);

@buchgr
Copy link
Contributor

buchgr commented May 16, 2018

What I meant was what if you try to bind to a free port that you specify explicitly. I have just tried it out myself and that doesn't work either. Seems like a legit bug - thanks for reporting it and providing a reproducer!

@talya
Copy link
Author

talya commented Jun 3, 2018

ping
any update on this?

also, possibly the fix for this older issue is relevant - "The behavior of the Linux sandbox was changed to not hide the local hostname by default."
but no matching Darwin code was changed to match.

@talya
Copy link
Author

talya commented Jun 19, 2018

I tried locally changing bazel to fix this, summarizing my attempts:

trying to change these lines

out.println("(allow network* (local ip \"localhost:*\"))");
out.println("(allow network* (remote ip \"localhost:*\"))");

It's not possible to change this to be localhost/127.0.0.1:* or localhost/*:* since Apple's .sb format doesn't support this (results in this error: host must be * or localhost in network address)
Also tried using out.println("(allow network* (local ip))"); but that completely breaks the sandboxing since even external addresses are accessible.
I Added the shouldNotBindToNonLoopbackAddress test to the sample repo guard against this.

@ittaiz
Copy link
Member

ittaiz commented Jul 1, 2018 via email

@buchgr buchgr assigned philwo and unassigned buchgr Jul 2, 2018
@buchgr
Copy link
Contributor

buchgr commented Jul 2, 2018

@philwo is back tomorrow. He should be able to sort this out quickly.

@philwo
Copy link
Member

philwo commented Jul 4, 2018

Hi,

unfortunately this is nothing that Bazel can fix. It's an issue in macOS's sandbox implementation.

As you have found out, the only valid values for the "allow/deny network" settings are "*" and "localhost". We are already setting this to "localhost". The fact that macOS's sandbox then still forbids binding to "localhost" is a bug in the sandbox, not in Bazel.

However, as we hit the same issue in Bazel, luckily I can share a workaround with you that you can apply to your own code:

https://source.bazel.build/bazel/+/6b8c7ca48e9e48a9906c031346dc4a924b7ef559:src/main/java/com/google/devtools/build/lib/server/GrpcServerImpl.java;l=691

I'd also recommend reporting this issue to Apple.

Hope this helps,
Philipp

@philwo philwo closed this as completed Jul 4, 2018
@talya
Copy link
Author

talya commented Jul 9, 2018

Thanks, the comment in the referenced code is quite detailed:)

copybara-service bot pushed a commit that referenced this issue Jan 18, 2024
copybara-service bot pushed a commit that referenced this issue Jan 19, 2024
Related issues:
- #20743
- #5206

PiperOrigin-RevId: 599754818
Change-Id: I228201d578b7459332aebfea6ab4d7c041b3e6c4
meteorcloudy added a commit to meteorcloudy/bazel that referenced this issue Jan 19, 2024
meteorcloudy added a commit to meteorcloudy/bazel that referenced this issue Jan 19, 2024
Related issues:
- bazelbuild#20743
- bazelbuild#5206

PiperOrigin-RevId: 599754818
Change-Id: I228201d578b7459332aebfea6ab4d7c041b3e6c4
github-merge-queue bot pushed a commit that referenced this issue Jan 19, 2024
Set Xcode version to 15.1 on macOS arm64 machines
bazel_determinism_test seems to be flaky due to an non-determinsitc
issue of the clang compiler in Xcode 14.2

Fixes #20690

PiperOrigin-RevId: 598760276
Change-Id: Ibc46dfa64fe91f26acfa5091a07c17e3bf97f29c

____

Allow network for two Java tests to avoid binding issue on macOS sandbox

https://buildkite.com/bazel/bazel-bazel/builds/26312#018d1722-0e79-47b4-82ed-9cc47487e05a

Related issues:
- #20743
- #5206

PiperOrigin-RevId: 599452705
Change-Id: I2fdccd9df513064e5bc9add4f1802d4c1ce9c6da

____

Allow network for StarlarkDebugServerTest
Related issues:
- #20743
- #5206

PiperOrigin-RevId: 599754818
Change-Id: I228201d578b7459332aebfea6ab4d7c041b3e6c4

___

Add mirror for embedded JDKs URLs
Reduce flakiness like:
https://buildkite.com/bazel/bazel-bazel/builds/26343#018d1e09-4c23-404c-a307-7476e092c7ab

PiperOrigin-RevId: 599759327
Change-Id: I43fa2ec996f03e77da926c2afeaca13cbf029a1b
@fzakaria
Copy link
Contributor

fzakaria commented Dec 4, 2024

Anyone ever open a bug for Apple to look into this?
As of 2024 I still see this as an issue.

@fzakaria
Copy link
Contributor

fzakaria commented Dec 4, 2024

FWIW I heard on bazel slack that 127.0.0.1 works as well (unconfirmed) in addition to IPV6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants