History

viyatb-oai e99e8e4a6b fix: follow up on linux sandbox review nits (#14440 ) ## Summary - address the follow-up review nits from #13996 in a separate PR - make the approvals test command a raw string and keep the managed-network path using env proxy routing - inline `--apply-seccomp-then-exec` in the Linux sandbox inner command builder - remove the bubblewrap-specific sandbox metric tag path and drop the `use_legacy_landlock` shim from `sandbox_tag`/`TurnMetadataState::new` - restore the `Feature` import that `origin/main` currently still needs in `connectors.rs` ## Testing - `cargo test -p codex-linux-sandbox` - focused `codex-core` tests were rerun/started, but the final verification pass was interrupted when I pushed at request		2026-03-11 23:59:50 -07:00
..
src	fix: follow up on linux sandbox review nits (#14440 )	2026-03-11 23:59:50 -07:00
tests	refactor: make bubblewrap the default Linux sandbox (#13996 )	2026-03-11 23:31:18 -07:00
BUILD.bazel	build(linux-sandbox): always compile vendored bubblewrap on Linux; remove CODEX_BWRAP_ENABLE_FFI (#11498 )	2026-02-11 21:30:41 -08:00
build.rs	build(linux-sandbox): always compile vendored bubblewrap on Linux; remove CODEX_BWRAP_ENABLE_FFI (#11498 )	2026-02-11 21:30:41 -08:00
Cargo.toml	feat(linux-sandbox): implement proxy-only egress via TCP-UDS-TCP bridge (#11293 )	2026-02-21 18:16:34 +00:00
config.h	build(linux-sandbox): always compile vendored bubblewrap on Linux; remove CODEX_BWRAP_ENABLE_FFI (#11498 )	2026-02-11 21:30:41 -08:00
README.md	refactor: make bubblewrap the default Linux sandbox (#13996 )	2026-03-11 23:31:18 -07:00

README.md

codex-linux-sandbox

This crate is responsible for producing:

a codex-linux-sandbox standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
a lib crate that exposes the business logic of the executable as run_main() so that
- the codex-exec CLI can check if its arg0 is codex-linux-sandbox and, if so, execute as if it were codex-linux-sandbox
- this should also be true of the codex multitool CLI

On Linux, the bubblewrap pipeline uses the vendored bubblewrap path compiled into this binary.

Current Behavior

Legacy Landlock + mount protections remain available as the legacy pipeline.
The default Linux sandbox pipeline is bubblewrap on the vendored path.
Set features.use_legacy_landlock = true (or CLI -c use_legacy_landlock=true) to force the legacy Landlock fallback.
When the default bubblewrap pipeline is active, it applies PR_SET_NO_NEW_PRIVS and a seccomp network filter in-process.
When the default bubblewrap pipeline is active, the filesystem is read-only by default via --ro-bind / /.
When the default bubblewrap pipeline is active, writable roots are layered with --bind <root> <root>.
When the default bubblewrap pipeline is active, protected subpaths under writable roots (for example .git, resolved gitdir:, and .codex) are re-applied as read-only via --ro-bind.
When the default bubblewrap pipeline is active, symlink-in-path and non-existent protected paths inside writable roots are blocked by mounting /dev/null on the symlink or first missing component.
When the default bubblewrap pipeline is active, the helper explicitly isolates the user namespace via --unshare-user and the PID namespace via --unshare-pid.
When the default bubblewrap pipeline is active and network is restricted without proxy routing, the helper also isolates the network namespace via --unshare-net.
In managed proxy mode, the helper uses --unshare-net plus an internal TCP->UDS->TCP routing bridge so tool traffic reaches only configured proxy endpoints.
In managed proxy mode, after the bridge is live, seccomp blocks new AF_UNIX/socketpair creation for the user command.
When the default bubblewrap pipeline is active, it mounts a fresh /proc via --proc /proc by default, but you can skip this in restrictive container environments with --no-proc.

Notes

The CLI surface still uses legacy names like codex debug landlock.