core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/linux-sandbox
History
Josh McKinney 34c88d10ea
deflake linux-sandbox NoNewPrivs timeout (#11245) 
Deflake `codex-linux-sandbox::all
suite::landlock::test_no_new_privs_is_enabled`.

CI has intermittently failed with `Sandbox(Timeout)` (exit 124) because
the sandboxed
`grep '^NoNewPrivs:' /proc/self/status` can run close to the short
timeout budget.

This updates only this test to use `LONG_TIMEOUT_MS`, which removes the
near-threshold timeout
behavior while keeping the rest of the suite unchanged.

Refs (previous failures):
- PR:
https://github.com/openai/codex/actions/runs/21836764823/job/63009902779
- PR:
https://github.com/openai/codex/actions/runs/21837427251/job/63012470353
- main:
https://github.com/openai/codex/actions/runs/21830746538/job/62988079964

Validation:
- Local: `cd codex-rs && cargo test -p codex-linux-sandbox` (non-Linux
runs 0 tests)
2026-02-10 03:03:58 +00:00
..
src fix(linux-sandbox): block io_uring syscalls in no-network seccomp policy (#10814) 2026-02-06 11:00:54 -08:00
tests deflake linux-sandbox NoNewPrivs timeout (#11245) 2026-02-10 03:03:58 +00:00
BUILD.bazel feat: add support for building with Bazel (#8875) 2026-01-09 11:09:43 -08:00
build.rs feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413) 2026-02-02 23:33:46 -08:00
Cargo.toml feat(linux-sandbox): add bwrap support (#9938) 2026-02-04 11:13:17 -08:00
README.md feat(linux-sandbox): add bwrap support (#9938) 2026-02-04 11:13:17 -08:00

README.md

codex-linux-sandbox

This crate is responsible for producing:

  • a codex-linux-sandbox standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
  • a lib crate that exposes the business logic of the executable as run_main() so that
    • the codex-exec CLI can check if its arg0 is codex-linux-sandbox and, if so, execute as if it were codex-linux-sandbox
    • this should also be true of the codex multitool CLI

On Linux, the bubblewrap pipeline uses the vendored bubblewrap path compiled into this binary.

Current Behavior

  • Legacy Landlock + mount protections remain available as the legacy pipeline.
  • The bubblewrap pipeline is standardized on the vendored path.
  • During rollout, the bubblewrap pipeline is gated by the temporary feature flag use_linux_sandbox_bwrap (CLI -c alias for features.use_linux_sandbox_bwrap; legacy remains default when off).
  • When enabled, the bubblewrap pipeline applies PR_SET_NO_NEW_PRIVS and a seccomp network filter in-process.
  • When enabled, the filesystem is read-only by default via --ro-bind / /.
  • When enabled, writable roots are layered with --bind <root> <root>.
  • When enabled, protected subpaths under writable roots (for example .git, resolved gitdir:, and .codex) are re-applied as read-only via --ro-bind.
  • When enabled, symlink-in-path and non-existent protected paths inside writable roots are blocked by mounting /dev/null on the symlink or first missing component.
  • When enabled, the helper isolates the PID namespace via --unshare-pid.
  • When enabled, it mounts a fresh /proc via --proc /proc by default, but you can skip this in restrictive container environments with --no-proc.

Notes

  • The CLI surface still uses legacy names like codex debug landlock.