core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/linux-sandbox
History
viyatb-oai e1447c3009
feat: add support for read-only bind mounts in the linux sandbox (#9112) 
### Motivation

- Landlock alone cannot prevent writes to sensitive in-repo files like
`.git/` when the repo root is writable, so explicit mount restrictions
are required for those paths.
- The sandbox must set up any mounts before calling Landlock so Landlock
can still be applied afterwards and the two mechanisms compose
correctly.

### Description

- Add a new `linux-sandbox` helper `apply_read_only_mounts` in
`linux-sandbox/src/mounts.rs` that: unshares namespaces, maps uids/gids
when required, makes mounts private, bind-mounts targets, and remounts
them read-only.
- Wire the mount step into the sandbox flow by calling
`apply_read_only_mounts(...)` before network/seccomp and before applying
Landlock rules in `linux-sandbox/src/landlock.rs`.
2026-01-14 08:30:46 -08:00
..
src feat: add support for read-only bind mounts in the linux sandbox (#9112) 2026-01-14 08:30:46 -08:00
tests feat: add support for read-only bind mounts in the linux sandbox (#9112) 2026-01-14 08:30:46 -08:00
BUILD.bazel feat: add support for building with Bazel (#8875) 2026-01-09 11:09:43 -08:00
Cargo.toml fix: introduce AbsolutePathBuf as part of sandbox config (#7856) 2025-12-12 15:25:22 -08:00
README.md feat: add support for read-only bind mounts in the linux sandbox (#9112) 2026-01-14 08:30:46 -08:00

README.md

codex-linux-sandbox

This crate is responsible for producing:

  • a codex-linux-sandbox standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
  • a lib crate that exposes the business logic of the executable as run_main() so that
    • the codex-exec CLI can check if its arg0 is codex-linux-sandbox and, if so, execute as if it were codex-linux-sandbox
    • this should also be true of the codex multitool CLI

Git safety mounts (Linux)

When the sandbox policy allows workspace writes, the Linux sandbox uses a user namespace plus a mount namespace to bind-mount sensitive subpaths read-only before applying Landlock rules. This keeps Git and Codex metadata immutable while still allowing writes to other workspace files, including worktree setups where .git is a pointer file.

Protected subpaths under each writable root include:

  • .git (directory or pointer file)
  • the resolved gitdir: target when .git is a pointer file
  • .codex when present

How this plays with Landlock

Mount permissions and Landlock intersect: if a bind mount is read-only, writes are denied even if Landlock would allow them. For that reason, the sandbox sets up the read-only mounts before calling landlock_restrict_self() and then applies Landlock rules on top.

Quick manual test

Run the sandbox directly with a workspace-write policy (from a Git repository root):

codex-linux-sandbox \
  --sandbox-policy-cwd "$PWD" \
  --sandbox-policy '{"type":"workspace-write"}' \
  -- bash -lc '
set -euo pipefail

echo "should fail" > .git/config && exit 1 || true
echo "should fail" > .git/hooks/pre-commit && exit 1 || true
echo "should fail" > .git/index.lock && exit 1 || true
echo "should fail" > .codex/config.toml && exit 1 || true
echo "ok" > sandbox-write-test.txt
'

Expected behavior:

  • Writes to .git/config fail with Read-only file system.
  • Creating or modifying files under .git/hooks/ fails.
  • Writing .git/index.lock fails (since .git is read-only).
  • Writes under .codex/ fail when the directory exists.
  • Writing a normal repo file succeeds.