Description of the problem / feature request:

new InetSocketAddress("localhost", 0).bind()
fails on OS X when ran with sandboxing
it passes without sandboxing or with sandboxing on docker-on-mac

Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

https://github.com/talya/bazel-localhost-resolving

Environment info

• OS X Sierra (10.12)
• bazel 0.13.0

Have you found anything relevant by searching the web?

related to #2669 and seems that relevant code is DarwinSandboxedSpawnRunner (which was last changed to allow the unix-socket in #3444):

        out.println("(deny network*)");
        out.println("(allow network* (local ip \"localhost:*\"))");
        out.println("(allow network* (remote ip \"localhost:*\"))");
        out.println("(allow network* (remote unix-socket))");
      }```