Suppress bwrap warning when sandboxing is bypassed (#16667)

Addresses #15282

Problem: Codex warned about missing system bubblewrap even when
sandboxing was disabled.

Solution: Gate the bwrap warning on the active sandbox policy and skip
it for danger-full-access and external-sandbox modes.
This commit is contained in:
Eric Traut
2026-04-03 10:54:30 -07:00
committed by GitHub
Unverified
parent a3b3e7a6cc
commit 0f7394883e
5 changed files with 28 additions and 7 deletions
+3 -1
View File
@@ -457,7 +457,9 @@ pub async fn run_main_with_transport(
range: None,
});
}
if let Some(warning) = codex_core::config::system_bwrap_warning() {
if let Some(warning) =
codex_core::config::system_bwrap_warning(config.permissions.sandbox_policy.get())
{
config_warnings.push(ConfigWarningNotification {
summary: warning,
details: None,
+4 -1
View File
@@ -651,7 +651,10 @@ async fn run_exec_session(args: ExecRunArgs) -> anyhow::Result<()> {
// Print the effective configuration and initial request so users can see what Codex
// is using.
event_processor.print_config_summary(&config, &prompt_summary, &session_configured);
if !json_mode && let Some(message) = codex_core::config::system_bwrap_warning() {
if !json_mode
&& let Some(message) =
codex_core::config::system_bwrap_warning(config.permissions.sandbox_policy.get())
{
event_processor.process_warning(message);
}
+13 -1
View File
@@ -1,12 +1,24 @@
use codex_protocol::protocol::SandboxPolicy;
use std::path::Path;
use std::path::PathBuf;
const SYSTEM_BWRAP_PROGRAM: &str = "bwrap";
pub fn system_bwrap_warning() -> Option<String> {
pub fn system_bwrap_warning(sandbox_policy: &SandboxPolicy) -> Option<String> {
if !should_warn_about_system_bwrap(sandbox_policy) {
return None;
}
system_bwrap_warning_for_lookup(find_system_bwrap_in_path())
}
fn should_warn_about_system_bwrap(sandbox_policy: &SandboxPolicy) -> bool {
!matches!(
sandbox_policy,
SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
)
}
fn system_bwrap_warning_for_lookup(system_bwrap_path: Option<PathBuf>) -> Option<String> {
match system_bwrap_path {
Some(_) => None,
+3 -1
View File
@@ -22,7 +22,9 @@ pub use manager::get_platform_sandbox;
use codex_protocol::error::CodexErr;
#[cfg(not(target_os = "linux"))]
pub fn system_bwrap_warning() -> Option<String> {
pub fn system_bwrap_warning(
_sandbox_policy: &codex_protocol::protocol::SandboxPolicy,
) -> Option<String> {
None
}
+5 -3
View File
@@ -470,8 +470,10 @@ fn emit_project_config_warnings(app_event_tx: &AppEventSender, config: &Config)
)));
}
fn emit_system_bwrap_warning(app_event_tx: &AppEventSender) {
let Some(message) = codex_core::config::system_bwrap_warning() else {
fn emit_system_bwrap_warning(app_event_tx: &AppEventSender, config: &Config) {
let Some(message) =
codex_core::config::system_bwrap_warning(config.permissions.sandbox_policy.get())
else {
return;
};
@@ -3564,7 +3566,7 @@ impl App {
let (app_event_tx, mut app_event_rx) = unbounded_channel();
let app_event_tx = AppEventSender::new(app_event_tx);
emit_project_config_warnings(&app_event_tx, &config);
emit_system_bwrap_warning(&app_event_tx);
emit_system_bwrap_warning(&app_event_tx, &config);
tui.set_notification_method(config.tui_notification_method);
let harness_overrides =