diff --git a/clang/lib/Frontend/CompileJobCache.cpp b/clang/lib/Frontend/CompileJobCache.cpp
index 5376921648bd4..d98ce3fbfec1f 100644
--- a/clang/lib/Frontend/CompileJobCache.cpp
+++ b/clang/lib/Frontend/CompileJobCache.cpp
@@ -21,6 +21,7 @@
 #include "llvm/MCCAS/MCCASObjectV1.h"
 #include "llvm/RemoteCachingService/Client.h"
 #include "llvm/Support/FileOutputBuffer.h"
+#include "llvm/Support/IOSandbox.h"
 #include "llvm/Support/Path.h"
 #include "llvm/Support/PrefixMapper.h"
 #include "llvm/Support/Process.h"
@@ -594,7 +595,11 @@ Expected<bool> CompileJobCache::maybeIngestNonVirtualOutputFromFileSystem(
     StringRef OutputPath = FrontendOpts.OutputFile;
     if (OutputPath.empty())
       return false;
-    if (llvm::sys::fs::is_directory(OutputPath)) {
+    bool IsDirectory = [&] {
+      auto BypassSandbox = llvm::sys::sandbox::scopedDisable();
+      return llvm::sys::fs::is_directory(OutputPath);
+    }();
+    if (IsDirectory) {
       // FIXME: A directory is produced for the 'html' output of the analyzer,
       // support it for caching purposes.
       Clang.getDiagnostics().Report(diag::warn_clang_cache_disabled_caching)
@@ -708,6 +713,8 @@ Expected<llvm::cas::ObjectRef> ObjectStoreCachingOutputs::writeOutputs(
 }
 
 Error ObjectStoreCachingOutputs::addNonVirtualOutputFile(StringRef FilePath) {
+  auto BypassSandbox = llvm::sys::sandbox::scopedDisable();
+
   auto F = llvm::sys::fs::openNativeFileForRead(FilePath);
   if (!F)
     return F.takeError();
diff --git a/clang/tools/driver/cc1depscan_main.cpp b/clang/tools/driver/cc1depscan_main.cpp
index e22100aba900c..2b996bdec56d8 100644
--- a/clang/tools/driver/cc1depscan_main.cpp
+++ b/clang/tools/driver/cc1depscan_main.cpp
@@ -729,9 +729,12 @@ int cc1depscand_main(ArrayRef<const char *> Argv, const char *Argv0,
   }
 
   // Create the base directory if necessary.
-  StringRef BaseDir = llvm::sys::path::parent_path(Server.BasePath);
-  if (std::error_code EC = llvm::sys::fs::create_directories(BaseDir))
-    reportError(Twine("cannot create basedir: ") + EC.message());
+  {
+    auto BypassSandbox = llvm::sys::sandbox::scopedDisable();
+    StringRef BaseDir = llvm::sys::path::parent_path(Server.BasePath);
+    if (std::error_code EC = llvm::sys::fs::create_directories(BaseDir))
+      reportError(Twine("cannot create basedir: ") + EC.message());
+  }
 
   if (Command == "-serve") {
     Server.start(/*Exclusive*/ true, CASArgs);
@@ -782,6 +785,8 @@ int cc1depscand_main(ArrayRef<const char *> Argv, const char *Argv0,
   (Server.BasePath + ".err").toVector(LogErrPath);
 
   auto openAndReplaceFD = [&](int ReplacedFD, StringRef Path) {
+    auto BypassSandbox = llvm::sys::sandbox::scopedDisable();
+
     int FD;
     if (std::error_code EC = llvm::sys::fs::openFile(
             Path, FD, llvm::sys::fs::CD_CreateAlways, llvm::sys::fs::FA_Write,
@@ -835,6 +840,8 @@ void ScanServer::start(bool Exclusive, ArrayRef<const char *> CASArgs) {
   CompilerInvocation::ParseCASArgs(CASOpts, ParsedCASArgs, Diags);
   CASOpts.ensurePersistentCAS();
 
+  auto BypassSandbox = llvm::sys::sandbox::scopedDisable();
+
   static std::once_flag ValidateOnce;
   std::call_once(ValidateOnce, [&] {
     if (getenv("LLVM_CAS_DISABLE_VALIDATION"))