mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
1fe89de576
## Why We want to exercise a linux app-server against a windows exec-server without having to repeat every test case. This approach has slight precedent in the remote docker test setup. ## What Run the shared `codex-core` integration suite against Windows exec-server behavior from Linux. This makes cross-OS path and shell regressions visible while keeping unsupported cases owned by individual tests. - Add `local`, `docker`, and `wine-exec` test environment selection with legacy Docker compatibility. - Extend `codex_rust_crate` to generate a sharded Wine-exec variant using a cross-built Windows server and pinned Bazel Wine/PowerShell runtimes. - Teach remote-aware helpers about Windows paths and track temporary incompatibilities with source-local `skip_if_wine_exec!` calls and follow-up reasons.
91 lines
4.4 KiB
Markdown
91 lines
4.4 KiB
Markdown
# codex-core
|
|
|
|
This crate implements the business logic for Codex. It is designed to be used by the various Codex UIs written in Rust.
|
|
|
|
## Wine-exec integration tests
|
|
|
|
On x86-64 Linux, run the shared suite against the Windows exec server with
|
|
`bazel test //codex-rs/core:core-all-wine-exec-test`. Temporary blockers use a
|
|
source-local `skip_if_wine_exec!` call and reason.
|
|
|
|
## Dependencies
|
|
|
|
Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this support matrix is:
|
|
|
|
### macOS
|
|
|
|
Expects `/usr/bin/sandbox-exec` to be present.
|
|
|
|
When using the workspace-write sandbox policy, the Seatbelt profile allows
|
|
writes under the configured writable roots while keeping `.git` (directory or
|
|
pointer file), the resolved `gitdir:` target, and `.codex` read-only.
|
|
|
|
Network access and filesystem read/write roots are controlled by
|
|
`SandboxPolicy`. Seatbelt consumes the resolved policy and enforces it.
|
|
|
|
Seatbelt also keeps the legacy default preferences read access
|
|
(`user-preference-read`) needed for cfprefs-backed macOS behavior.
|
|
|
|
### Linux
|
|
|
|
Expects the binary containing `codex-core` to run the equivalent of `codex sandbox` when `arg0` is `codex-linux-sandbox`. See the `codex-arg0` crate for details.
|
|
|
|
Legacy `SandboxPolicy` / `sandbox_mode` configs are still supported on Linux.
|
|
They can continue to use the legacy Landlock path when the split filesystem
|
|
policy is sandbox-equivalent to the legacy model after `cwd` resolution.
|
|
Split filesystem policies that need direct `FileSystemSandboxPolicy`
|
|
enforcement, such as read-only or denied carveouts under a broader writable
|
|
root, automatically route through bubblewrap. The legacy Landlock path is used
|
|
only when the split filesystem policy round-trips through the legacy
|
|
`SandboxPolicy` model without changing semantics. That includes overlapping
|
|
cases like `/repo = write`, `/repo/a = none`, `/repo/a/b = write`, where the
|
|
more specific writable child must reopen under a denied parent.
|
|
|
|
The Linux sandbox helper prefers the first `bwrap` found on `PATH` outside the
|
|
current working directory whenever it is available. If `bwrap` is present but
|
|
too old to support `--argv0`, the helper keeps using system bubblewrap and
|
|
switches to a no-`--argv0` compatibility path for the inner re-exec. If
|
|
`bwrap` is missing, it falls back to the bundled `codex-resources/bwrap`
|
|
binary shipped with Codex and Codex surfaces a startup warning through its
|
|
normal notification path instead of printing directly from the sandbox helper.
|
|
Codex also surfaces a startup warning when bubblewrap cannot create user
|
|
namespaces. WSL2 uses the normal Linux bubblewrap path. WSL1 is not supported
|
|
for bubblewrap sandboxing because it cannot create the required user
|
|
namespaces, so Codex rejects sandboxed shell commands that would enter the
|
|
bubblewrap path before invoking `bwrap`.
|
|
|
|
### Windows
|
|
|
|
Legacy `SandboxPolicy` / `sandbox_mode` configs are still supported on
|
|
Windows. Legacy `read-only` and `workspace-write` policies imply full
|
|
filesystem read access; exact readable roots are represented by split
|
|
filesystem policies instead.
|
|
|
|
The elevated Windows sandbox also supports:
|
|
|
|
- legacy `ReadOnly` and `WorkspaceWrite` behavior
|
|
- split filesystem policies that need exact readable roots, exact writable
|
|
roots, or extra read-only carveouts under writable roots
|
|
- backend-managed system read roots required for basic execution, such as
|
|
`C:\Windows`, `C:\Program Files`, `C:\Program Files (x86)`, and
|
|
`C:\ProgramData`, when a split filesystem policy requests platform defaults
|
|
|
|
The unelevated restricted-token backend still supports the legacy full-read
|
|
Windows model for legacy `ReadOnly` and `WorkspaceWrite` behavior. It also
|
|
supports a narrow split-filesystem subset: full-read split policies whose
|
|
writable roots still match the legacy `WorkspaceWrite` root set, but add extra
|
|
read-only carveouts under those writable roots.
|
|
|
|
New `[permissions]` / split filesystem policies remain supported on Windows
|
|
only when they can be enforced directly by the selected Windows backend or
|
|
round-trip through the legacy `SandboxPolicy` model without changing semantics.
|
|
Policies that would require direct explicit unreadable carveouts (`none`) or
|
|
reopened writable descendants under read-only carveouts still fail closed
|
|
instead of running with weaker enforcement.
|
|
|
|
### All Platforms
|
|
|
|
Expects the binary containing `codex-core` to simulate the virtual
|
|
`apply_patch` CLI when `arg1` is `--codex-run-as-apply-patch`. See the
|
|
`codex-arg0` crate for details.
|