core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/linux-sandbox/src
History
viyatb-oai ae4de43ccc
feat(linux-sandbox): add bwrap support (#9938) 
## Summary
This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The
curent Linux sandbox path relies on in-process restrictions (including
Landlock). Bubblewrap gives us a more uniform filesystem isolation
model, especially explicit writable roots with the option to make some
directories read-only and granular network controls.

This is behind a feature flag so we can validate behavior safely before
making it the default.

- Added temporary rollout flag:
  - `features.use_linux_sandbox_bwrap`
- Preserved existing default path when the flag is off.
- In Bubblewrap mode:
- Added internal retry without /proc when /proc mount is not permitted
by the host/container.
2026-02-04 11:13:17 -08:00
..
bwrap.rs feat(linux-sandbox): add bwrap support (#9938) 2026-02-04 11:13:17 -08:00
landlock.rs feat(linux-sandbox): add bwrap support (#9938) 2026-02-04 11:13:17 -08:00
lib.rs feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413) 2026-02-02 23:33:46 -08:00
linux_run_main.rs feat(linux-sandbox): add bwrap support (#9938) 2026-02-04 11:13:17 -08:00
main.rs fix: overhaul how we spawn commands under seccomp/landlock on Linux (#1086) 2025-05-23 11:37:07 -07:00
vendored_bwrap.rs feat(linux-sandbox): add bwrap support (#9938) 2026-02-04 11:13:17 -08:00