2 Commits

  • vendor: update bubblewrap to 0.11.2 (#21389)
    ## Why
    
    `codex-rs/vendor/bubblewrap` had fallen behind upstream, and upstream
    `v0.11.2` is the current Bubblewrap release. The release is a security
    update for `CVE-2026-41163`, affecting setuid Bubblewrap builds, and
    deprecates setuid support in favor of the default non-setuid build mode.
    
    ## What changed
    
    - Refreshed the vendored Bubblewrap sources under
    `codex-rs/vendor/bubblewrap` to upstream `v0.11.2`.
    - Brought in the upstream `-Dsupport_setuid` build option, which
    defaults setuid support off.
    - Updated vendored release notes and documentation files included with
    Bubblewrap.
    
    ## Verification
    
    Not run locally; this PR only refreshes the vendored upstream Bubblewrap
    source snapshot.
    
    Upstream release:
    https://github.com/containers/bubblewrap/releases/tag/v0.11.2
  • feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)
    ## Summary
    
    Vendor Bubblewrap into the repo and add minimal build plumbing in
    `codex-linux-sandbox` to compile/link it.
    
    ## Why
    
    We want to move Linux sandboxing toward Bubblewrap, but in a safe
    two-step rollout:
    1) vendoring/build setup (this PR),  
    2) runtime integration (follow-up PR).
    
    ## Included
    
    - Add `codex-rs/vendor/bubblewrap` sources.
    - Add build-time FFI path in `codex-rs/linux-sandbox`.
    - Update `build.rs` rerun tracking for vendored files.
    - Small vendored compile warning fix (`sockaddr_nl` full init).
    
    follow up in https://github.com/openai/codex/pull/9938