Are you enabling sandboxing? Use `--spawn_strategy=sandboxed`, or better yet `--spawn_strategy=worker,sandboxed --worker_sandboxing`. That should disallow using files from the base system.
This does disable multiplex workers,.which can make it more memory intensive. Working on that.
Yes, I was using their sandbox. They intentionally make their sandbox weak so you can use things like gcc from the system without having to bootstrap them.
I don't know exactly what I tried since this was maybe a year and a half ago. I tried asking on their slack, but I think I was told that it was not possible. I don't have the project around anymore to try out your suggestion.
This is controlled by their default toolchain that includes /usr/include and such. You can define your own toolchain with different include directories.
This does disable multiplex workers,.which can make it more memory intensive. Working on that.