Description of the bug:

With Bazel 7, but neither Bazel 6.4.0 nor --noincompatible_sandbox_hermetic_tmp, builds with --sandbox_add_mount_pair referencing a path under /tmp fail since /tmp has been remounted before the manually specified mount pair is applied.

Which category does this issue belong to?

Local Execution

What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

touch WORKSPACE

cat > .bazelrc <<'EOF'
build --sandbox_add_mount_pair=/tmp/some/path:/etc
EOF

cat > BUILD <<'EOF'
genrule(
    name = "gen",
    outs = ["data.txt"],
    cmd = "ls /etc > $@",
)
EOF

Then:

$ mkdir -p /tmp/some/path
$ bazel clean --expunge && bazel shutdown && bazel build //:gen
...
src/main/tools/linux-sandbox-pid1.cc:305: "mount(/tmp/some/path, /etc, nullptr, MS_BIND | MS_REC, nullptr)": No such file or directory
Target //:gen failed to build
...
# bazel clean --expunge && bazel shutdown && bazel build //:gen --noincompatible_sandbox_hermetic_tmp
...
INFO: Build completed successfully, 2 total actions

Which operating system are you running Bazel on?

Linux

What is the output of bazel info release?

7.0.0

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse master; git rev-parse HEAD ?

No response

Is this a regression? If yes, please try to identify the Bazel commit where the bug was introduced.

No response

Have you found anything relevant by searching the web?

No response

Any other information, logs, or outputs that you want to share?

No response