mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
fb0aaf94de7db12e22a293f5b0dd26aa6c8d6a8e
46 Commits
-
build(linux-sandbox): always compile vendored bubblewrap on Linux; remove CODEX_BWRAP_ENABLE_FFI (#11498)
## Summary This PR removes the temporary `CODEX_BWRAP_ENABLE_FFI` flag and makes Linux builds always compile vendored bubblewrap support for `codex-linux-sandbox`. ## Changes - Removed `CODEX_BWRAP_ENABLE_FFI` gating from `codex-rs/linux-sandbox/build.rs`. - Linux builds now fail fast if vendored bubblewrap compilation fails (instead of warning and continuing). - Updated fallback/help text in `codex-rs/linux-sandbox/src/vendored_bwrap.rs` to remove references to `CODEX_BWRAP_ENABLE_FFI`. - Removed `CODEX_BWRAP_ENABLE_FFI` env wiring from: - `.github/workflows/rust-ci.yml` - `.github/workflows/bazel.yml` - `.github/workflows/rust-release.yml` --------- Co-authored-by: David Zbarsky <zbarsky@openai.com>
viyatb-oai ·
2026-02-11 21:30:41 -08:00 -
feat: make sandbox read access configurable with
ReadOnlyAccess(#11387)`SandboxPolicy::ReadOnly` previously implied broad read access and could not express a narrower read surface. This change introduces an explicit read-access model so we can support user-configurable read restrictions in follow-up work, while preserving current behavior today. It also ensures unsupported backends fail closed for restricted-read policies instead of silently granting broader access than intended. ## What - Added `ReadOnlyAccess` in protocol with: - `Restricted { include_platform_defaults, readable_roots }` - `FullAccess` - Updated `SandboxPolicy` to carry read-access configuration: - `ReadOnly { access: ReadOnlyAccess }` - `WorkspaceWrite { ..., read_only_access: ReadOnlyAccess }` - Preserved existing behavior by defaulting current construction paths to `ReadOnlyAccess::FullAccess`. - Threaded the new fields through sandbox policy consumers and call sites across `core`, `tui`, `linux-sandbox`, `windows-sandbox`, and related tests. - Updated Seatbelt policy generation to honor restricted read roots by emitting scoped read rules when full read access is not granted. - Added fail-closed behavior on Linux and Windows backends when restricted read access is requested but not yet implemented there (`UnsupportedOperation`). - Regenerated app-server protocol schema and TypeScript artifacts, including `ReadOnlyAccess`. ## Compatibility / rollout - Runtime behavior remains unchanged by default (`FullAccess`). - API/schema changes are in place so future config wiring can enable restricted read access without another policy-shape migration.Michael Bolin ·
2026-02-11 18:31:14 -08:00 -
feat(sandbox): enforce proxy-aware network routing in sandbox (#11113)
## Summary - expand proxy env injection to cover common tool env vars (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`/`NO_PROXY` families + tool-specific variants) - harden macOS Seatbelt network policy generation to route through inferred loopback proxy endpoints and fail closed when proxy env is malformed - thread proxy-aware Linux sandbox flags and add minimal bwrap netns isolation hook for restricted non-proxy runs - add/refresh tests for proxy env wiring, Seatbelt policy generation, and Linux sandbox argument wiring
viyatb-oai ·
2026-02-10 07:44:21 +00:00 -
deflake linux-sandbox NoNewPrivs timeout (#11245)
Deflake `codex-linux-sandbox::all suite::landlock::test_no_new_privs_is_enabled`. CI has intermittently failed with `Sandbox(Timeout)` (exit 124) because the sandboxed `grep '^NoNewPrivs:' /proc/self/status` can run close to the short timeout budget. This updates only this test to use `LONG_TIMEOUT_MS`, which removes the near-threshold timeout behavior while keeping the rest of the suite unchanged. Refs (previous failures): - PR: https://github.com/openai/codex/actions/runs/21836764823/job/63009902779 - PR: https://github.com/openai/codex/actions/runs/21837427251/job/63012470353 - main: https://github.com/openai/codex/actions/runs/21830746538/job/62988079964 Validation: - Local: `cd codex-rs && cargo test -p codex-linux-sandbox` (non-Linux runs 0 tests)
Josh McKinney ·
2026-02-10 03:03:58 +00:00 -
feat: include NetworkConfig through ExecParams (#11105)
This PR adds the following field to `Config`: ```rust pub network: Option<NetworkProxy>, ``` Though for the moment, it will always be initialized as `None` (this will be addressed in a subsequent PR). This PR does the work to thread `network` through to `execute_exec_env()`, `process_exec_tool_call()`, and `UnifiedExecRuntime.run()` to ensure it is available whenever we span a process.
Michael Bolin ·
2026-02-09 03:32:17 +00:00 -
fix(linux-sandbox): block io_uring syscalls in no-network seccomp policy (#10814)
## Summary - Add seccomp deny rules for `io_uring` syscalls in the Linux sandbox network policy. - Specifically deny: - `SYS_io_uring_setup` - `SYS_io_uring_enter` - `SYS_io_uring_register`
viyatb-oai ·
2026-02-06 11:00:54 -08:00 -
feat(linux-sandbox): add bwrap support (#9938)
## Summary This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The curent Linux sandbox path relies on in-process restrictions (including Landlock). Bubblewrap gives us a more uniform filesystem isolation model, especially explicit writable roots with the option to make some directories read-only and granular network controls. This is behind a feature flag so we can validate behavior safely before making it the default. - Added temporary rollout flag: - `features.use_linux_sandbox_bwrap` - Preserved existing default path when the flag is off. - In Bubblewrap mode: - Added internal retry without /proc when /proc mount is not permitted by the host/container.
viyatb-oai ·
2026-02-04 11:13:17 -08:00 -
Inject CODEX_THREAD_ID into the terminal environment (#10096)
Inject CODEX_THREAD_ID (when applicable) into the terminal environment so that the agent (and skills) can refer to the current thread / session ID. Discussion: https://openai.slack.com/archives/C095U48JNL9/p1769542492067109
Max Johnson ·
2026-02-03 11:31:12 -08:00 -
feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)
## Summary Vendor Bubblewrap into the repo and add minimal build plumbing in `codex-linux-sandbox` to compile/link it. ## Why We want to move Linux sandboxing toward Bubblewrap, but in a safe two-step rollout: 1) vendoring/build setup (this PR), 2) runtime integration (follow-up PR). ## Included - Add `codex-rs/vendor/bubblewrap` sources. - Add build-time FFI path in `codex-rs/linux-sandbox`. - Update `build.rs` rerun tracking for vendored files. - Small vendored compile warning fix (`sockaddr_nl` full init). follow up in https://github.com/openai/codex/pull/9938
viyatb-oai ·
2026-02-02 23:33:46 -08:00 -
remove sandbox globals. (#9797)
Threads sandbox updates through OverrideTurnContext for active turn Passes computed sandbox type into safety/exec
iceweasel-oai ·
2026-01-27 11:04:23 -08:00 -
revert: remove pre-Landlock bind mounts apply (#9300)
**Description** This removes the pre‑Landlock read‑only bind‑mount step from the Linux sandbox so filesystem restrictions rely solely on Landlock again. `mounts.rs` is kept in place but left unused. The linux‑sandbox README is updated to match the new behavior and manual test expectations.
viyatb-oai ·
2026-01-15 09:47:57 -08:00 -
fix: fallback to Landlock-only when user namespaces unavailable and set PR_SET_NO_NEW_PRIVS early (#9250)
fixes https://github.com/openai/codex/issues/9236 ### Motivation - Prevent sandbox setup from failing when unprivileged user namespaces are denied so Landlock-only protections can still be applied. - Ensure `PR_SET_NO_NEW_PRIVS` is set before installing seccomp and Landlock restrictions to avoid kernel `EPERM`/`LandlockRestrict` ordering issues. ### Description - Add `is_permission_denied` helper that detects `EPERM` / `PermissionDenied` from `CodexErr` to drive fallback logic. - In `apply_read_only_mounts` skip read-only bind-mount setup and return `Ok(())` when `unshare_user_and_mount_namespaces()` fails with permission-denied so Landlock rules can still be installed. - Add `set_no_new_privs()` and call it from `apply_sandbox_policy_to_current_thread` before installing seccomp filters and Landlock rules when disk or network access is restricted.
viyatb-oai ·
2026-01-14 22:24:34 -08:00 -
fix: correct linux sandbox uid/gid mapping after unshare (#9234)
fixes https://github.com/openai/codex/issues/9233 ## Summary - capture effective uid/gid before unshare for user namespace maps - pass captured ids into uid/gid map writer ## Testing - just fmt - just fix -p codex-linux-sandbox - cargo test -p codex-linux-sandbox
viyatb-oai ·
2026-01-14 15:35:53 -08:00 -
feat: add support for read-only bind mounts in the linux sandbox (#9112)
### Motivation - Landlock alone cannot prevent writes to sensitive in-repo files like `.git/` when the repo root is writable, so explicit mount restrictions are required for those paths. - The sandbox must set up any mounts before calling Landlock so Landlock can still be applied afterwards and the two mechanisms compose correctly. ### Description - Add a new `linux-sandbox` helper `apply_read_only_mounts` in `linux-sandbox/src/mounts.rs` that: unshares namespaces, maps uids/gids when required, makes mounts private, bind-mounts targets, and remounts them read-only. - Wire the mount step into the sandbox flow by calling `apply_read_only_mounts(...)` before network/seccomp and before applying Landlock rules in `linux-sandbox/src/landlock.rs`.
viyatb-oai ·
2026-01-14 08:30:46 -08:00 -
feat: add support for building with Bazel (#8875)
This PR configures Codex CLI so it can be built with [Bazel](https://bazel.build) in addition to Cargo. The `.bazelrc` includes configuration so that remote builds can be done using [BuildBuddy](https://www.buildbuddy.io). If you are familiar with Bazel, things should work as you expect, e.g., run `bazel test //... --keep-going` to run all the tests in the repo, but we have also added some new aliases in the `justfile` for convenience: - `just bazel-test` to run tests locally - `just bazel-remote-test` to run tests remotely (currently, the remote build is for x86_64 Linux regardless of your host platform). Note we are currently seeing the following test failures in the remote build, so we still need to figure out what is happening here: ``` failures: suite::compact::manual_compact_twice_preserves_latest_user_messages suite::compact_resume_fork::compact_resume_after_second_compaction_preserves_history suite::compact_resume_fork::compact_resume_and_fork_preserve_model_history_view ``` - `just build-for-release` to build release binaries for all platforms/architectures remotely To setup remote execution: - [Create a buildbuddy account](https://app.buildbuddy.io/) (OpenAI employees should also request org access at https://openai.buildbuddy.io/join/ with their `@openai.com` email address.) - [Copy your API key](https://app.buildbuddy.io/docs/setup/) to `~/.bazelrc` (add the line `build --remote_header=x-buildbuddy-api-key=YOUR_KEY`) - Use `--config=remote` in your `bazel` invocations (or add `common --config=remote` to your `~/.bazelrc`, or use the `just` commands) ## CI In terms of CI, this PR introduces `.github/workflows/bazel.yml`, which uses Bazel to run the tests _locally_ on Mac and Linux GitHub runners (we are working on supporting Windows, but that is not ready yet). Note that the failures we are seeing in `just bazel-remote-test` do not occur on these GitHub CI jobs, so everything in `.github/workflows/bazel.yml` is green right now. The `bazel.yml` uses extra config in `.github/workflows/ci.bazelrc` so that macOS CI jobs build _remotely_ on Linux hosts (using the `docker://docker.io/mbolin491/codex-bazel` Docker image declared in the root `BUILD.bazel`) using cross-compilation to build the macOS artifacts. Then these artifacts are downloaded locally to GitHub's macOS runner so the tests can be executed natively. This is the relevant config that enables this: ``` common:macos --config=remote common:macos --strategy=remote common:macos --strategy=TestRunner=darwin-sandbox,local ``` Because of the remote caching benefits we get from BuildBuddy, these new CI jobs can be extremely fast! For example, consider these two jobs that ran all the tests on Linux x86_64: - Bazel 1m37s https://github.com/openai/codex/actions/runs/20861063212/job/59940545209?pr=8875 - Cargo 9m20s https://github.com/openai/codex/actions/runs/20861063192/job/59940559592?pr=8875 For now, we will continue to run both the Bazel and Cargo jobs for PRs, but once we add support for Windows and running Clippy, we should be able to cutover to using Bazel exclusively for PRs, which should still speed things up considerably. We will probably continue to run the Cargo jobs post-merge for commits that land on `main` as a sanity check. Release builds will also continue to be done by Cargo for now. Earlier attempt at this PR: https://github.com/openai/codex/pull/8832 Earlier attempt to add support for Buck2, now abandoned: https://github.com/openai/codex/pull/8504 --------- Co-authored-by: David Zbarsky <dzbarsky@gmail.com> Co-authored-by: Michael Bolin <mbolin@openai.com>
zbarsky-openai ·
2026-01-09 11:09:43 -08:00 -
fix: introduce AbsolutePathBuf as part of sandbox config (#7856)
Changes the `writable_roots` field of the `WorkspaceWrite` variant of the `SandboxPolicy` enum from `Vec<PathBuf>` to `Vec<AbsolutePathBuf>`. This is helpful because now callers can be sure the value is an absolute path rather than a relative one. (Though when using an absolute path in a Seatbelt config policy, we still have to _canonicalize_ it first.) Because `writable_roots` can be read from a config file, it is important that we are able to resolve relative paths properly using the parent folder of the config file as the base path.
Michael Bolin ·
2025-12-12 15:25:22 -08:00 -
refactoring with_escalated_permissions to use SandboxPermissions instead (#7750)
helpful in the future if we want more granularity for requesting escalated permissions: e.g when running in readonly sandbox, model can request to escalate to a sandbox that allows writes
zhao-oai ·
2025-12-10 17:18:48 +00:00 -
fix: allow sendmsg(2) and recvmsg(2) syscalls in our Linux sandbox (#7779)
This changes our default Landlock policy to allow `sendmsg(2)` and `recvmsg(2)` syscalls. We believe these were originally denied out of an abundance of caution, but given that `send(2)` nor `recv(2)` are allowed today [which provide comparable capability to the `*msg` equivalents], we do not believe allowing them grants any privileges beyond what we already allow. Rather than using the syscall as the security boundary, preventing access to the potentially hazardous file descriptor in the first place seems like the right layer of defense. In particular, this makes it possible for `shell-tool-mcp` to run on Linux when using a read-only sandbox for the Bash process, as demonstrated by `accept_elicitation_for_prompt_rule()` now succeeding in CI.
Michael Bolin ·
2025-12-09 09:24:01 -08:00 -
chore: add cargo-deny configuration (#7119)
- add GitHub workflow running cargo-deny on push/PR - document cargo-deny allowlist with workspace-dep notes and advisory ignores - align workspace crates to inherit version/edition/license for consistent checks
Josh McKinney ·
2025-11-24 12:22:18 -08:00 -
refactor: inline sandbox type lookup in process_exec_tool_call (#7122)
`process_exec_tool_call()` was taking `SandboxType` as a param, but in practice, the only place it was constructed was in `codex_message_processor.rs` where it was derived from the other `sandbox_policy` param, so this PR inlines the logic that decides the `SandboxType` into `process_exec_tool_call()`. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/7122). * #7112 * __->__ #7122
Michael Bolin ·
2025-11-21 22:53:05 +00:00 -
feat: update process_exec_tool_call() to take a cancellation token (#6972)
This updates `ExecParams` so that instead of taking `timeout_ms: Option<u64>`, it now takes a more general cancellation mechanism, `ExecExpiration`, which is an enum that includes a `Cancellation(tokio_util::sync::CancellationToken)` variant. If the cancellation token is fired, then `process_exec_tool_call()` returns in the same way as if a timeout was exceeded. This is necessary so that in #6973, we can manage the timeout logic external to the `process_exec_tool_call()` because we want to "suspend" the timeout when an elicitation from a human user is pending. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/6972). * #7005 * #6973 * __->__ #6972
Michael Bolin ·
2025-11-20 16:29:57 -08:00 -
jif-oai ·
2025-10-30 10:28:32 +00:00 -
chore: rework tools execution workflow (#5278)
Re-work the tool execution flow. Read `orchestrator.rs` to understand the structure
jif-oai ·
2025-10-20 20:57:37 +01:00 -
chore: clippy on redundant closure (#4058)
Add redundant closure clippy rules and let Codex fix it by minimising FQP
jif-oai ·
2025-09-22 19:30:16 +00:00 -
chore: unify cargo versions (#4044)
Unify cargo versions at root
jif-oai ·
2025-09-22 16:47:01 +00:00 -
fix: ensure cwd for conversation and sandbox are separate concerns (#3874)
Previous to this PR, both of these functions take a single `cwd`: https://github.com/openai/codex/blob/71038381aa0f51aa62e1a2bcc7cbf26a05b141f3/codex-rs/core/src/seatbelt.rs#L19-L25 https://github.com/openai/codex/blob/71038381aa0f51aa62e1a2bcc7cbf26a05b141f3/codex-rs/core/src/landlock.rs#L16-L23 whereas `cwd` and `sandbox_cwd` should be set independently (fixed in this PR). Added `sandbox_distinguishes_command_and_policy_cwds()` to `codex-rs/exec/tests/suite/sandbox.rs` to verify this.
Michael Bolin ·
2025-09-18 14:37:06 -07:00 -
Include command output when sending timeout to model (#3576)
Being able to see the output helps the model decide how to handle the timeout.
pakrym-oai ·
2025-09-14 14:38:26 -07:00 -
feat: Run cargo shear during CI (#3338)
Run cargo shear as part of the CI to ensure no unused dependencies
jif-oai ·
2025-09-09 01:05:08 +00:00 -
test: faster test execution in codex-core (#2633)
this dramatically improves time to run `cargo test -p codex-core` (~25x speedup). before: ``` cargo test -p codex-core 35.96s user 68.63s system 19% cpu 8:49.80 total ``` after: ``` cargo test -p codex-core 5.51s user 8.16s system 63% cpu 21.407 total ``` both tests measured "hot", i.e. on a 2nd run with no filesystem changes, to exclude compile times. approach inspired by [Delete Cargo Integration Tests](https://matklad.github.io/2021/02/27/delete-cargo-integration-tests.html), we move all test cases in tests/ into a single suite in order to have a single binary, as there is significant overhead for each test binary executed, and because test execution is only parallelized with a single binary.
Jeremy Rose ·
2025-08-24 11:10:53 -07:00 -
chore(deps): bump libc from 0.2.174 to 0.2.175 in /codex-rs (#2406)
Bumps [libc](https://github.com/rust-lang/libc) from 0.2.174 to 0.2.175. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/releases">libc's releases</a>.</em></p> <blockquote> <h2>0.2.175</h2> <h3>Added</h3> <ul> <li>AIX: Add <code>getpeereid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4524">#4524</a>)</li> <li>AIX: Add <code>struct ld_info</code> and friends (<a href="https://redirect.github.com/rust-lang/libc/pull/4578">#4578</a>)</li> <li>AIX: Retore <code>struct winsize</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4577">#4577</a>)</li> <li>Android: Add UDP socket option constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4619">#4619</a>)</li> <li>Android: Add <code>CLONE_CLEAR_SIGHAND</code> and <code>CLONE_INTO_CGROUP</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4502">#4502</a>)</li> <li>Android: Add more <code>prctl</code> constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4531">#4531</a>)</li> <li>FreeBSD Add further TCP stack-related constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4196">#4196</a>)</li> <li>FreeBSD x86-64: Add <code>mcontext_t.mc_tlsbase </code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4503">#4503</a>)</li> <li>FreeBSD15: Add <code>kinfo_proc.ki_uerrmsg</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>FreeBSD: Add <code>in_conninfo</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xinpgen</code> and related types (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xktls_session</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>Haiku: Add functionality from <code>libbsd</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4221">#4221</a>)</li> <li>Linux: Add <code>SECBIT_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4480">#4480</a>)</li> <li>NetBSD, OpenBSD: Export <code>ioctl</code> request generator macros (<a href="https://redirect.github.com/rust-lang/libc/pull/4460">#4460</a>)</li> <li>NetBSD: Add <code>ptsname_r</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4608">#4608</a>)</li> <li>RISCV32: Add time-related syscalls (<a href="https://redirect.github.com/rust-lang/libc/pull/4612">#4612</a>)</li> <li>Solarish: Add <code>strftime*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4453">#4453</a>)</li> <li>linux: Add <code>EXEC_RESTRICT_*</code> and <code>EXEC_DENY_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4545">#4545</a>)</li> </ul> <h3>Changed</h3> <ul> <li>AIX: Add <code>const</code> to signatures to be consistent with other platforms (<a href="https://redirect.github.com/rust-lang/libc/pull/4563">#4563</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>AIX: Fix the type of <code>struct statvfs.f_fsid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4576">#4576</a>)</li> <li>AIX: Fix the type of constants for the <code>ioctl</code> <code>request</code> argument (<a href="https://redirect.github.com/rust-lang/libc/pull/4582">#4582</a>)</li> <li>AIX: Fix the types of <code>stat{,64}.st_*tim</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4597">#4597</a>)</li> <li>AIX: Use unique <code>errno</code> values (<a href="https://redirect.github.com/rust-lang/libc/pull/4507">#4507</a>)</li> <li>Build: Fix an incorrect <code>target_os</code> -> <code>target_arch</code> check (<a href="https://redirect.github.com/rust-lang/libc/pull/4550">#4550</a>)</li> <li>FreeBSD: Fix the type of <code>xktls_session_onedir.ifnet</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>Mips64 musl: Fix the type of <code>nlink_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4509">#4509</a>)</li> <li>Mips64 musl: Use a special MIPS definition of <code>stack_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4528">#4528</a>)</li> <li>Mips64: Fix <code>SI_TIMER</code>, <code>SI_MESGQ</code> and <code>SI_ASYNCIO</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4529">#4529</a>)</li> <li>Musl Mips64: Swap the order of <code>si_errno</code> and <code>si_code</code> in <code>siginfo_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4530">#4530</a>)</li> <li>Musl Mips64: Use a special MIPS definition of <code>statfs</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4527">#4527</a>)</li> <li>Musl: Fix the definition of <code>fanotify_event_metadata</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4510">#4510</a>)</li> <li>NetBSD: Correct <code>enum fae_action</code> to be <code>#[repr(C)]</code> (<a href="https://github.com/rust-lang/libc/commit/60a8cfd564f83164d45b9533ff7a0d7371878f2a">#60a8cfd5</a>)</li> <li>PSP: Correct <code>char</code> -> <code>c_char</code> (<a href="https://github.com/rust-lang/libc/commit/eaab4fc3f05dc646a953d4fd5ba46dfa1f8bd6f6">eaab4fc3</a>)</li> <li>PowerPC musl: Fix <code>termios</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4518">#4518</a>)</li> <li>PowerPC musl: Fix the definition of <code>EDEADLK</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4517">#4517</a>)</li> <li>PowerPC musl: Fix the definition of <code>NCCS</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4513">#4513</a>)</li> <li>PowerPC musl: Fix the definitions of <code>MAP_LOCKED</code> and <code>MAP_NORESERVE</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4516">#4516</a>)</li> <li>PowerPC64 musl: Fix the definition of <code>shmid_ds</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4519">#4519</a>)</li> </ul> <h3>Deprecated</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/blob/0.2.175/CHANGELOG.md">libc's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/rust-lang/libc/compare/0.2.174...0.2.175">0.2.175</a> - 2025-08-10</h2> <h3>Added</h3> <ul> <li>AIX: Add <code>getpeereid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4524">#4524</a>)</li> <li>AIX: Add <code>struct ld_info</code> and friends (<a href="https://redirect.github.com/rust-lang/libc/pull/4578">#4578</a>)</li> <li>AIX: Retore <code>struct winsize</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4577">#4577</a>)</li> <li>Android: Add UDP socket option constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4619">#4619</a>)</li> <li>Android: Add <code>CLONE_CLEAR_SIGHAND</code> and <code>CLONE_INTO_CGROUP</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4502">#4502</a>)</li> <li>Android: Add more <code>prctl</code> constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4531">#4531</a>)</li> <li>FreeBSD Add further TCP stack-related constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4196">#4196</a>)</li> <li>FreeBSD x86-64: Add <code>mcontext_t.mc_tlsbase </code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4503">#4503</a>)</li> <li>FreeBSD15: Add <code>kinfo_proc.ki_uerrmsg</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>FreeBSD: Add <code>in_conninfo</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xinpgen</code> and related types (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xktls_session</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>Haiku: Add functionality from <code>libbsd</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4221">#4221</a>)</li> <li>Linux: Add <code>SECBIT_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4480">#4480</a>)</li> <li>NetBSD, OpenBSD: Export <code>ioctl</code> request generator macros (<a href="https://redirect.github.com/rust-lang/libc/pull/4460">#4460</a>)</li> <li>NetBSD: Add <code>ptsname_r</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4608">#4608</a>)</li> <li>RISCV32: Add time-related syscalls (<a href="https://redirect.github.com/rust-lang/libc/pull/4612">#4612</a>)</li> <li>Solarish: Add <code>strftime*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4453">#4453</a>)</li> <li>linux: Add <code>EXEC_RESTRICT_*</code> and <code>EXEC_DENY_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4545">#4545</a>)</li> </ul> <h3>Changed</h3> <ul> <li>AIX: Add <code>const</code> to signatures to be consistent with other platforms (<a href="https://redirect.github.com/rust-lang/libc/pull/4563">#4563</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>AIX: Fix the type of <code>struct statvfs.f_fsid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4576">#4576</a>)</li> <li>AIX: Fix the type of constants for the <code>ioctl</code> <code>request</code> argument (<a href="https://redirect.github.com/rust-lang/libc/pull/4582">#4582</a>)</li> <li>AIX: Fix the types of <code>stat{,64}.st_*tim</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4597">#4597</a>)</li> <li>AIX: Use unique <code>errno</code> values (<a href="https://redirect.github.com/rust-lang/libc/pull/4507">#4507</a>)</li> <li>Build: Fix an incorrect <code>target_os</code> -> <code>target_arch</code> check (<a href="https://redirect.github.com/rust-lang/libc/pull/4550">#4550</a>)</li> <li>FreeBSD: Fix the type of <code>xktls_session_onedir.ifnet</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>Mips64 musl: Fix the type of <code>nlink_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4509">#4509</a>)</li> <li>Mips64 musl: Use a special MIPS definition of <code>stack_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4528">#4528</a>)</li> <li>Mips64: Fix <code>SI_TIMER</code>, <code>SI_MESGQ</code> and <code>SI_ASYNCIO</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4529">#4529</a>)</li> <li>Musl Mips64: Swap the order of <code>si_errno</code> and <code>si_code</code> in <code>siginfo_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4530">#4530</a>)</li> <li>Musl Mips64: Use a special MIPS definition of <code>statfs</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4527">#4527</a>)</li> <li>Musl: Fix the definition of <code>fanotify_event_metadata</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4510">#4510</a>)</li> <li>NetBSD: Correct <code>enum fae_action</code> to be <code>#[repr(C)]</code> (<a href="https://github.com/rust-lang/libc/commit/60a8cfd564f83164d45b9533ff7a0d7371878f2a">#60a8cfd5</a>)</li> <li>PSP: Correct <code>char</code> -> <code>c_char</code> (<a href="https://github.com/rust-lang/libc/commit/eaab4fc3f05dc646a953d4fd5ba46dfa1f8bd6f6">eaab4fc3</a>)</li> <li>PowerPC musl: Fix <code>termios</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4518">#4518</a>)</li> <li>PowerPC musl: Fix the definition of <code>EDEADLK</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4517">#4517</a>)</li> <li>PowerPC musl: Fix the definition of <code>NCCS</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4513">#4513</a>)</li> <li>PowerPC musl: Fix the definitions of <code>MAP_LOCKED</code> and <code>MAP_NORESERVE</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4516">#4516</a>)</li> <li>PowerPC64 musl: Fix the definition of <code>shmid_ds</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4519">#4519</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rust-lang/libc/commit/84e26e6b166a6634d679fbf44e957102846b8a03"><code>84e26e6</code></a> Update the lockfile</li> <li><a href="https://github.com/rust-lang/libc/commit/4d04aee906450fed27305de30c23f518166f919f"><code>4d04aee</code></a> chore: release libc 0.2.175</li> <li><a href="https://github.com/rust-lang/libc/commit/94a7f32972a352fe348edbd49b06995542f3c5f5"><code>94a7f32</code></a> cleanup: Format a file that was missed</li> <li><a href="https://github.com/rust-lang/libc/commit/172527344a1d92b2ca7f88fe2b1bbde4b02de58b"><code>1725273</code></a> Rename the ctest file from <code>main</code> to <code>ctest</code></li> <li><a href="https://github.com/rust-lang/libc/commit/e9b021b7cd3d3f045ce8ec743d344e56b14f7244"><code>e9b021b</code></a> freebsd adding further TCP stack related constants.</li> <li><a href="https://github.com/rust-lang/libc/commit/9606a2918b1f370119af8022d61b0ff03175beb5"><code>9606a29</code></a> freebsd15: Add ki_uerrmsg to struct kinfo_proc</li> <li><a href="https://github.com/rust-lang/libc/commit/2816bc2f66c1c62ec5a616fb499a2b27bbba4a3c"><code>2816bc2</code></a> libc-test: include sys/ktls.h on freebsd</li> <li><a href="https://github.com/rust-lang/libc/commit/adfe283365cff1c6a05cddeca8afeaa667d1c637"><code>adfe283</code></a> libc-test: Account for xktls_session_onedir::gen (freebsd)</li> <li><a href="https://github.com/rust-lang/libc/commit/4cc1bf43310e6a31636e4c4eb31e78e702938f50"><code>4cc1bf4</code></a> freebsd: Document avoidance of reserved name <code>gen</code></li> <li><a href="https://github.com/rust-lang/libc/commit/7cdcaa62396816db2177cb663a4bf57f79603a52"><code>7cdcaa6</code></a> freebsd: Fix type of struct xktls_session_onedir, field ifnet</li> <li>Additional commits viewable in <a href="https://github.com/rust-lang/libc/compare/0.2.174...0.2.175">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
dependabot[bot] ·
2025-08-18 16:17:29 -07:00 -
Added
allow-expect-in-tests/allow-unwrap-in-tests(#2328)This PR: * Added the clippy.toml to configure allowable expect / unwrap usage in tests * Removed as many expect/allow lines as possible from tests * moved a bunch of allows to expects where possible Note: in integration tests, non `#[test]` helper functions are not covered by this so we had to leave a few lingering `expect(expect_used` checks around
Parker Thompson ·
2025-08-14 17:59:01 -07:00 -
Fix AF_UNIX, sockpair, recvfrom in linux sandbox (#2309)
When using codex-tui on a linux system I was unable to run `cargo clippy` inside of codex due to: ``` [pid 3548377] socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, <unfinished ...> [pid 3548370] close(8 <unfinished ...> [pid 3548377] <... socketpair resumed>0x7ffb97f4ed60) = -1 EPERM (Operation not permitted) ``` And ``` 3611300 <... recvfrom resumed>0x708b8b5cffe0, 8, 0, NULL, NULL) = -1 EPERM (Operation not permitted) ``` This PR: * Fixes a bug that disallowed AF_UNIX to allow it on `socket()` * Adds recvfrom() to the syscall allow list, this should be fine since we disable opening new sockets. But we should validate there is not a open socket inheritance issue. * Allow socketpair to be called for AF_UNIX * Adds tests for AF_UNIX components * All of which allows running `cargo clippy` within the sandbox on linux, and possibly other tooling using a fork server model + AF_UNIX comms.
Parker Thompson ·
2025-08-14 17:12:41 -07:00 -
chore: introduce ConversationManager as a clearinghouse for all conversations (#2240)
This PR does two things because after I got deep into the first one I started pulling on the thread to the second: - Makes `ConversationManager` the place where all in-memory conversations are created and stored. Previously, `MessageProcessor` in the `codex-mcp-server` crate was doing this via its `session_map`, but this is something that should be done in `codex-core`. - It unwinds the `ctrl_c: tokio::sync::Notify` that was threaded throughout our code. I think this made sense at one time, but now that we handle Ctrl-C within the TUI and have a proper `Op::Interrupt` event, I don't think this was quite right, so I removed it. For `codex exec` and `codex proto`, we now use `tokio::signal::ctrl_c()` directly, but we no longer make `Notify` a field of `Codex` or `CodexConversation`. Changes of note: - Adds the files `conversation_manager.rs` and `codex_conversation.rs` to `codex-core`. - `Codex` and `CodexSpawnOk` are no longer exported from `codex-core`: other crates must use `CodexConversation` instead (which is created via `ConversationManager`). - `core/src/codex_wrapper.rs` has been deleted in favor of `ConversationManager`. - `ConversationManager::new_conversation()` returns `NewConversation`, which is in line with the `new_conversation` tool we want to add to the MCP server. Note `NewConversation` includes `SessionConfiguredEvent`, so we eliminate checks in cases like `codex-rs/core/tests/client.rs` to verify `SessionConfiguredEvent` is the first event because that is now internal to `ConversationManager`. - Quite a bit of code was deleted from `codex-rs/mcp-server/src/message_processor.rs` since it no longer has to manage multiple conversations itself: it goes through `ConversationManager` instead. - `core/tests/live_agent.rs` has been deleted because I had to update a bunch of tests and all the tests in here were ignored, and I don't think anyone ever ran them, so this was just technical debt, at this point. - Removed `notify_on_sigint()` from `util.rs` (and in a follow-up, I hope to refactor the blandly-named `util.rs` into more descriptive files). - In general, I started replacing local variables named `codex` as `conversation`, where appropriate, though admittedly I didn't do it through all the integration tests because that would have added a lot of noise to this PR. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/2240). * #2264 * #2263 * __->__ #2240
Michael Bolin ·
2025-08-13 13:38:18 -07:00 -
Include output truncation message in tool call results (#2183)
To avoid model being confused about incomplete output.
pakrym-oai ·
2025-08-11 11:52:05 -07:00 -
feat: add /tmp by default (#1919)
Replaces the `include_default_writable_roots` option on `sandbox_workspace_write` (that defaulted to `true`, which was slightly weird/annoying) with `exclude_tmpdir_env_var`, which defaults to `false`. Though perhaps more importantly `/tmp` is now enabled by default as part of `sandbox_mode = "workspace-write"`, though `exclude_slash_tmp = false` can be used to disable this.
Michael Bolin ·
2025-08-07 00:17:00 -07:00 -
[approval_policy] Add OnRequest approval_policy (#1865)
## Summary A split-up PR of #1763 , stacked on top of a tools refactor #1858 to make the change clearer. From the previous summary: > Let's try something new: tell the model about the sandbox, and let it decide when it will need to break the sandbox. Some local testing suggests that it works pretty well with zero iteration on the prompt! ## Testing - [x] Added unit tests - [x] Tested locally and it appears to work smoothly!
Dylan ·
2025-08-05 20:44:20 -07:00 -
feat: make .git read-only within a writable root when using Seatbelt (#1765)
To make `--full-auto` safer, this PR updates the Seatbelt policy so that a `SandboxPolicy` with a `writable_root` that contains a `.git/` _directory_ will make `.git/` _read-only_ (though as a follow-up, we should also consider the case where `.git` is a _file_ with a `gitdir: /path/to/actual/repo/.git` entry that should also be protected). The two major changes in this PR: - Updating `SandboxPolicy::get_writable_roots_with_cwd()` to return a `Vec<WritableRoot>` instead of a `Vec<PathBuf>` where a `WritableRoot` can specify a list of read-only subpaths. - Updating `create_seatbelt_command_args()` to honor the read-only subpaths in `WritableRoot`. The logic to update the policy is a fairly straightforward update to `create_seatbelt_command_args()`, but perhaps the more interesting part of this PR is the introduction of an integration test in `tests/sandbox.rs`. Leveraging the new API in #1785, we test `SandboxPolicy` under various conditions, including ones where `$TMPDIR` is not readable, which is critical for verifying the new behavior. To ensure that Codex can run its own tests, e.g.: ``` just codex debug seatbelt --full-auto -- cargo test if_git_repo_is_writable_root_then_dot_git_folder_is_read_only ``` I had to introduce the use of `CODEX_SANDBOX=sandbox`, which is comparable to how `CODEX_SANDBOX_NETWORK_DISABLED=1` was already being used. Adding a comparable change for Landlock will be done in a subsequent PR.
Michael Bolin ·
2025-08-01 16:11:24 -07:00 -
chore: introduce SandboxPolicy::WorkspaceWrite::include_default_writable_roots (#1785)
Without this change, it is challenging to create integration tests to verify that the folders not included in `writable_roots` in `SandboxPolicy::WorkspaceWrite` are read-only because, by default, `get_writable_roots_with_cwd()` includes `TMPDIR`, which is where most integrationt tests do their work. This introduces a `use_exact_writable_roots` option to disable the default includes returned by `get_writable_roots_with_cwd()`. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1785). * #1765 * __->__ #1785
Michael Bolin ·
2025-08-01 14:15:55 -07:00 -
feat: stream exec stdout events (#1786)
## Summary - stream command stdout as `ExecCommandStdout` events - forward streamed stdout to clients and ignore in human output processor - adjust call sites for new streaming API
aibrahim-oai ·
2025-08-01 13:04:34 -07:00 -
Auto format toml (#1745)
Add recommended extension and configure it to auto format prompt.
pakrym-oai ·
2025-07-30 18:37:00 -07:00 -
Michael Bolin ·
2025-07-28 08:31:24 -07:00 -
feat: support dotenv (including ~/.codex/.env) (#1653)
This PR adds a `load_dotenv()` helper function to the `codex-common` crate that is available when the `cli` feature is enabled. The function uses [`dotenvy`](https://crates.io/crates/dotenvy) to update the environment from: - `$CODEX_HOME/.env` - `$(pwd)/.env` To test: - ran `printenv OPENAI_API_KEY` to verify the env var exists in my environment - ran `just codex exec hello` to verify the CLI uses my `OPENAI_API_KEY` - ran `unset OPENAI_API_KEY` - ran `just codex exec hello` again and got **ERROR: Missing environment variable: `OPENAI_API_KEY`**, as expected - created `~/.codex/.env` and added `OPENAI_API_KEY=sk-proj-...` (also ran `chmod 400 ~/.codex/.env` for good measure) - ran `just codex exec hello` again and it worked, verifying it picked up `OPENAI_API_KEY` from `~/.codex/.env` Note this functionality was available in the TypeScript CLI: https://github.com/openai/codex/pull/122 and was recently requested over on https://github.com/openai/codex/issues/1262#issuecomment-3093203551.
Michael Bolin ·
2025-07-22 15:54:33 -07:00 -
chore(rs): update dependencies (#1494)
### Chores - Update cargo dependencies - Remove unused cargo dependencies - Fix clippy warnings - Update Dockerfile (package.json requires node 22) - Let Dependabot update bun, cargo, devcontainers, docker, github-actions, npm (nix still not supported) ### TODO - Upgrade dependencies with breaking changes ```shell $ cargo update --verbose Unchanged crossterm v0.28.1 (available: v0.29.0) Unchanged schemars v0.8.22 (available: v1.0.4) ```
Rene Leonhardt ·
2025-07-10 11:08:16 -07:00 -
feat: redesign sandbox config (#1373)
This is a major redesign of how sandbox configuration works and aims to fix https://github.com/openai/codex/issues/1248. Specifically, it replaces `sandbox_permissions` in `config.toml` (and the `-s`/`--sandbox-permission` CLI flags) with a "table" with effectively three variants: ```toml # Safest option: full disk is read-only, but writes and network access are disallowed. [sandbox] mode = "read-only" # The cwd of the Codex task is writable, as well as $TMPDIR on macOS. # writable_roots can be used to specify additional writable folders. [sandbox] mode = "workspace-write" writable_roots = [] # Optional, defaults to the empty list. network_access = false # Optional, defaults to false. # Disable sandboxing: use at your own risk!!! [sandbox] mode = "danger-full-access" ``` This should make sandboxing easier to reason about. While we have dropped support for `-s`, the way it works now is: - no flags => `read-only` - `--full-auto` => `workspace-write` - currently, there is no way to specify `danger-full-access` via a CLI flag, but we will revisit that as part of https://github.com/openai/codex/issues/1254 Outstanding issue: - As noted in the `TODO` on `SandboxPolicy::is_unrestricted()`, we are still conflating sandbox preferences with approval preferences in that case, which needs to be cleaned up.
Michael Bolin ·
2025-06-24 16:59:47 -07:00 -
fix: support arm64 build for Linux (#1225)
Users were running into issues with glibc mismatches on arm64 linux. In the past, we did not provide a musl build for arm64 Linux because we had trouble getting the openssl dependency to build correctly. Though today I just tried the same trick in `Cargo.toml` that we were doing for `x86_64-unknown-linux-musl` (using `openssl-sys` with `features = ["vendored"]`), so I'm not sure what problem we had in the past the builds "just worked" today! Though one tweak that did have to be made is that the integration tests for Seccomp/Landlock empirically require longer timeouts on arm64 linux, or at least on the `ubuntu-24.04-arm` GitHub Runner. As such, we change the timeouts for arm64 in `codex-rs/linux-sandbox/tests/landlock.rs`. Though in solving this problem, I decided I needed a turnkey solution for testing the Linux build(s) from my Mac laptop, so this PR introduces `.devcontainer/Dockerfile` and `.devcontainer/devcontainer.json` to facilitate this. Detailed instructions are in `.devcontainer/README.md`. We will update `dotslash-config.json` and other release-related scripts in a follow-up PR.
Michael Bolin ·
2025-06-05 20:29:46 -07:00 -
fix: overhaul how we spawn commands under seccomp/landlock on Linux (#1086)
Historically, we spawned the Seatbelt and Landlock sandboxes in substantially different ways: For **Seatbelt**, we would run `/usr/bin/sandbox-exec` with our policy specified as an arg followed by the original command: https://github.com/openai/codex/blob/d1de7bb383552e8fadd94be79d65d188e00fd562/codex-rs/core/src/exec.rs#L147-L219 For **Landlock/Seccomp**, we would do `tokio::runtime::Builder::new_current_thread()`, _invoke Landlock/Seccomp APIs to modify the permissions of that new thread_, and then spawn the command: https://github.com/openai/codex/blob/d1de7bb383552e8fadd94be79d65d188e00fd562/codex-rs/core/src/exec_linux.rs#L28-L49 While it is neat that Landlock/Seccomp supports applying a policy to only one thread without having to apply it to the entire process, it requires us to maintain two different codepaths and is a bit harder to reason about. The tipping point was https://github.com/openai/codex/pull/1061, in which we had to start building up the `env` in an unexpected way for the existing Landlock/Seccomp approach to continue to work. This PR overhauls things so that we do similar things for Mac and Linux. It turned out that we were already building our own "helper binary" comparable to Mac's `sandbox-exec` as part of the `cli` crate: https://github.com/openai/codex/blob/d1de7bb383552e8fadd94be79d65d188e00fd562/codex-rs/cli/Cargo.toml#L10-L12 We originally created this to build a small binary to include with the Node.js version of the Codex CLI to provide support for Linux sandboxing. Though the sticky bit is that, at this point, we still want to deploy the Rust version of Codex as a single, standalone binary rather than a CLI and a supporting sandboxing binary. To satisfy this goal, we use "the arg0 trick," in which we: * use `std::env::current_exe()` to get the path to the CLI that is currently running * use the CLI as the `program` for the `Command` * set `"codex-linux-sandbox"` as arg0 for the `Command` A CLI that supports sandboxing should check arg0 at the start of the program. If it is `"codex-linux-sandbox"`, it must invoke `codex_linux_sandbox::run_main()`, which runs the CLI as if it were `codex-linux-sandbox`. When acting as `codex-linux-sandbox`, we make the appropriate Landlock/Seccomp API calls and then use `execvp(3)` to spawn the original command, so do _replace_ the process rather than spawn a subprocess. Incidentally, we do this before starting the Tokio runtime, so the process should only have one thread when `execvp(3)` is called. Because the `core` crate that needs to spawn the Linux sandboxing is not a CLI in its own right, this means that every CLI that includes `core` and relies on this behavior has to (1) implement it and (2) provide the path to the sandboxing executable. While the path is almost always `std::env::current_exe()`, we needed to make this configurable for integration tests, so `Config` now has a `codex_linux_sandbox_exe: Option<PathBuf>` property to facilitate threading this through, introduced in https://github.com/openai/codex/pull/1089. This common pattern is now captured in `codex_linux_sandbox::run_with_sandbox()` and all of the `main.rs` functions that should use it have been updated as part of this PR. The `codex-linux-sandbox` crate added to the Cargo workspace as part of this PR now has the bulk of the Landlock/Seccomp logic, which makes `core` a bit simpler. Indeed, `core/src/exec_linux.rs` and `core/src/landlock.rs` were removed/ported as part of this PR. I also moved the unit tests for this code into an integration test, `linux-sandbox/tests/landlock.rs`, in which I use `env!("CARGO_BIN_EXE_codex-linux-sandbox")` as the value for `codex_linux_sandbox_exe` since `std::env::current_exe()` is not appropriate in that case.
Michael Bolin ·
2025-05-23 11:37:07 -07:00