[clang] 128cc16 - [clang] Bypass sandbox in the rewriter (#174496)

[via cfe-commits]

Author: Jan Svoboda
Date: 2026-01-06T10:34:38-08:00
New Revision: 128cc16c2588472df1b20878fba5facb04da6157

URL: https://github.com/llvm/llvm-project/commit/128cc16c2588472df1b20878fba5facb04da6157
DIFF: https://github.com/llvm/llvm-project/commit/128cc16c2588472df1b20878fba5facb04da6157.diff

LOG: [clang] Bypass sandbox in the rewriter (#174496)

Clang's rewriter currently violates the IO sandbox due to a call to
`llvm::writeToOutput()`. Since the "blessed" `llvm::vfs::OutputBackend`
isn't easily available in that particular spot, this PR instead disables
the sandbox and leaves a FIXME behind.

Added: 
    

Modified: 
    clang/lib/Rewrite/Rewriter.cpp

Removed: 
    


################################################################################
diff  --git a/clang/lib/Rewrite/Rewriter.cpp b/clang/lib/Rewrite/Rewriter.cpp
index ae21a10f81c35..a06fefaa5f188 100644
--- a/clang/lib/Rewrite/Rewriter.cpp
+++ b/clang/lib/Rewrite/Rewriter.cpp
@@ -22,6 +22,7 @@
 #include "llvm/ADT/SmallVector.h"
 #include "llvm/ADT/StringRef.h"
 #include "llvm/Support/Error.h"
+#include "llvm/Support/IOSandbox.h"
 #include "llvm/Support/raw_ostream.h"
 #include <cassert>
 #include <iterator>
@@ -320,6 +321,8 @@ bool Rewriter::overwriteChangedFiles() {
     OptionalFileEntryRef Entry = getSourceMgr().getFileEntryRefForID(I->first);
     llvm::SmallString<128> Path(Entry->getName());
     getSourceMgr().getFileManager().makeAbsolutePath(Path);
+    // FIXME(sandboxing): Remove this by adopting `llvm::vfs::OutputBackend`.
+    auto BypassSandbox = llvm::sys::sandbox::scopedDisable();
     if (auto Error = llvm::writeToOutput(Path, [&](llvm::raw_ostream &OS) {
           I->second.write(OS);
           return llvm::Error::success();