Skip to content
Latchkey

Bazel "linux-sandbox ... permission denied" in Docker CI

Bazel isolates actions with linux-sandbox, which uses user and mount namespaces. Inside a restricted container those namespace calls can be denied by seccomp or missing privileges, so the sandbox cannot start and the action fails.

What this error means

A build fails with "linux-sandbox failed: ... Permission denied" or "namespace ... Operation not permitted" only when running inside a Docker container in CI.

bazel
ERROR: linux-sandbox failed: error executing command
src/main/tools/linux-sandbox ... : Permission denied
(clone(): Operation not permitted)

Common causes

The container blocks namespace syscalls

A default Docker seccomp profile or an unprivileged container denies the clone/unshare calls linux-sandbox needs.

No privileges for user namespaces

The runner container lacks the capabilities or settings required to create user namespaces, so the sandbox cannot initialize.

How to fix it

Grant the container sandbox privileges

Allow the namespace syscalls, for example by loosening seccomp or running the container with the needed privileges.

Terminal
docker run --privileged \
  ghcr.io/example/ci-image bazel test //...

Switch the spawn strategy

If you cannot grant privileges, disable the sandbox for the affected actions with a different strategy.

.bazelrc
build --spawn_strategy=local

How to prevent it

  • Grant containers the privileges linux-sandbox needs, or use a custom seccomp profile.
  • Set --spawn_strategy where sandboxing cannot be privileged.
  • Test the sandbox in the exact CI container image before relying on it.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →