mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
d40454522e
## Summary - allow `socketpair(AF_UNIX, ...)` in the proxy-routed Linux seccomp mode - continue denying `socket(AF_UNIX, ...)` so user commands cannot create pathname or abstract Unix sockets - extend the managed-proxy integration test to verify both behaviors ## Root cause `NetworkSeccompMode::ProxyRouted` treated anonymous Unix socket pairs like externally addressable Unix sockets and returned `EPERM`. This breaks tools that use socket pairs for local child-process IPC even though a socket pair cannot connect outside the sandbox or bypass the routed proxy. `dangerously_allow_all_unix_sockets` controls Unix-socket requests forwarded by the managed network proxy; it does not currently configure the Linux seccomp filter. Socket pairs should not require that dangerous setting because they are unnamed, process-local IPC. Related but independent: #26553 fixes host proxy bridge socket path length handling. --------- Co-authored-by: Codex <noreply@openai.com>
d40454522e
ยท
2026-06-05 09:34:36 -07:00
History