proto files build fails when using noexec /tmp

[cristifalcas]

In our company the next generation VMs will have /tmp mount with noexec flag.

This causes the following error:

ERROR: /home/user/development/_repository_/apps/app1/protobuf/tensorflow/core/example/BUILD.bazel:6:14: ProtoScalaPBRule apps/app1/protobuf/tensorflow/core/example/tensorflow_proto_fs2_scalapb.srcjar failed: (Exit 1): scalapb_worker failed: error executing ProtoScalaPBRule command (from target //apps/app1/protobuf/tensorflow/core/example:tensorflow_proto)
  (cd /home/user/.cache/bazel/_bazel_user/aabb233eac901fe18eb3100a49d301a0/execroot/com_etsy_something && \
  exec env - \
  bazel-out/k8-opt-exec-ST-a828a81199fe/bin/external/io_bazel_rules_scala/src/scala/scripts/scalapb_worker '--jvm_flag=-Djava.security.manager=allow' '--jvm_flags=-DGEN_fs2=fs2.grpc.codegen.Fs2CodeGenerator -DGEN_scala=scalapb.ScalaPbCodeGenerator -DPROTOC=bazel-out/k8-opt-exec-ST-a828a81199fe/bin/external/com_google_protobuf/protoc -DJARS=' @bazel-out/k8-fastbuild/bin/apps/app1/protobuf/tensorflow/core/example/tensorflow_proto_fs2_scalapb.srcjar-0.params)
# Configuration: 0747c8795ccdf4b47291c7b20d9f20ea1dae336ea91c321e1db1068d5ef4cb69
# Execution platform: @@internal_platforms_do_not_use//host:host
/tmp/protocbridge16304508168519985830: program not found or is not executable
Please specify a program using absolute path or make sure the program is available in your PATH system variable
--fs2_out: protoc-gen-fs2: Plugin failed with status code 1.
Exception in thread "main" java.lang.RuntimeException: Exit with code 1
	at scala.sys.package$.error(package.scala:27)
	at scripts.ScalaPBWorker$.work(ScalaPBWorker.scala:44)
	at io.bazel.rulesscala.worker.Worker.ephemeralWorkerMain(Worker.java:121)
	at io.bazel.rulesscala.worker.Worker.workerMain(Worker.java:41)
	at scripts.ScalaPBWorker$.main(ScalaPBWorker.scala:39)
	at scripts.ScalaPBWorker.main(ScalaPBWorker.scala)

The above error is because /tmp/protocbridgeXXX binary is executed from the /tmp folder.

A quick and dirty fix for this error in this context is to use this patch:

diff --git scala/private/rule_impls.bzl scala/private/rule_impls.bzl
index 19a8a3a..c297644 100644
--- scala/private/rule_impls.bzl
+++ scala/private/rule_impls.bzl
@@ -229,4 +229,4 @@ def allow_security_manager(ctx, runtime = None):
     java_runtime = runtime if runtime else ctx.attr._java_host_runtime[java_common.JavaRuntimeInfo]

     # Bazel 5.x doesn't have java_runtime.version defined
-    return ["-Djava.security.manager=allow"] if hasattr(java_runtime, "version") and java_runtime.version >= 17 else []
+    return ["-Djava.security.manager=allow", "-Djava.io.tmpdir=/tmp/bazel_rw_tmp"] if hasattr(java_runtime, "version") and java_runtime.version >= 17 else []

Here, /tmp/bazel_rw_tmp is a symlink that points to somewhere else, but any path that the user owns and can execute binaries.

It would be preferable to have a flag for this, but I can't say what would this look like.