Bazel "linux-sandbox ... permission denied" in Docker CI
Bazel isolates actions with linux-sandbox, which uses user and mount namespaces. Inside a restricted container those namespace calls can be denied by seccomp or missing privileges, so the sandbox cannot start and the action fails.
What this error means
A build fails with "linux-sandbox failed: ... Permission denied" or "namespace ... Operation not permitted" only when running inside a Docker container in CI.
ERROR: linux-sandbox failed: error executing command
src/main/tools/linux-sandbox ... : Permission denied
(clone(): Operation not permitted)Common causes
The container blocks namespace syscalls
A default Docker seccomp profile or an unprivileged container denies the clone/unshare calls linux-sandbox needs.
No privileges for user namespaces
The runner container lacks the capabilities or settings required to create user namespaces, so the sandbox cannot initialize.
How to fix it
Grant the container sandbox privileges
Allow the namespace syscalls, for example by loosening seccomp or running the container with the needed privileges.
docker run --privileged \
ghcr.io/example/ci-image bazel test //...Switch the spawn strategy
If you cannot grant privileges, disable the sandbox for the affected actions with a different strategy.
build --spawn_strategy=localHow to prevent it
- Grant containers the privileges linux-sandbox needs, or use a custom seccomp profile.
- Set --spawn_strategy where sandboxing cannot be privileged.
- Test the sandbox in the exact CI container image before relying on it.