Windows Sandboxing status

[sluongng]

I want to make this post to share my understanding of the current state of Windows Sandboxing in Bazel. There have been several folks asking me about surprising Windows behaviors and most of that was because of the lack of sandboxing on Windows.

As of today, there is no sandboxing support for Windows thus most actions are executed using local strategy.
One might eagerly point out that there are these 2 flags lurking in the Command-Line Reference page of Bazel doc:

--[no]experimental_use_windows_sandbox default: "false"
Use Windows sandbox to run actions. If "yes", the binary provided by --experimental_windows_sandbox_path must be valid and correspond to a supported version of sandboxfs. If "auto", the binary may be missing or not compatible.

--experimental_windows_sandbox_path= default: "BazelSandbox.exe"
Path to the Windows sandbox binary to use when --experimental_use_windows_sandbox is true. If a bare name, use the first binary of that name found in the PATH.

However, you will quickly realize that BazelSandbox.exe does not exist in any release distribution, or is referenced anywhere in Bazel source code other than this flag. So what is going on?

---

Sandboxing Implementation

According to Bazel on Windows, there was a proposal for "Sandboxing on Windows" and a Google Summer of Code project. The quick summary is that by re-using Microsoft's BuildXL sandboxing technology Detour, we could build a sandbox for Bazel.

From the google doc, the BazelSandbox.exe file could be built with the following commands

git clone https://github.com/rongjiecomputer/BuildXL
cd BuildXL
bxl -deployconfig release -minimal Out\Bin\BazelSandbox\*

However, there are some unfinished works before that binary could be shipped with Bazel:

• How to manage BuildXL repo/binary version and build the sandbox binary from there?
• More Windows Integration tests using BazelSandbox
• Performance improvements
• Rewrite it in Rust

(I am kidding on the last point)

---

With that said, if anyone is motivated enough to pick up the project, feel free to comment and ask questions here 🤝