refactor: make bubblewrap the default Linux sandbox (#13996)

## Summary - make bubblewrap the default Linux sandbox and keep `use_legacy_landlock` as the only override - remove `use_linux_sandbox_bwrap` from feature, config, schema, and docs surfaces - update Linux sandbox selection, CLI/config plumbing, and related tests/docs to match the new default - fold in the follow-up CI fixes for request-permissions responses and Linux read-only sandbox error text
2026-05-03 21:01:55 +03:00 · 2026-03-11 23:31:18 -07:00
parent b5f927b973
commit 04892b4ceb
29 changed files with 184 additions and 222 deletions
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -250,19 +250,18 @@ async fn run_command_under_sandbox(
            .await?
        }
        SandboxType::Landlock => {
-            use codex_core::features::Feature;
            #[expect(clippy::expect_used)]
            let codex_linux_sandbox_exe = config
                .codex_linux_sandbox_exe
                .expect("codex-linux-sandbox executable not found");
-            let use_bwrap_sandbox = config.features.enabled(Feature::UseLinuxSandboxBwrap);
+            let use_legacy_landlock = config.features.use_legacy_landlock();
            spawn_command_under_linux_sandbox(
                codex_linux_sandbox_exe,
                command,
                cwd,
                config.permissions.sandbox_policy.get(),
                sandbox_policy_cwd.as_path(),
-                use_bwrap_sandbox,
+                use_legacy_landlock,
                stdio_policy,
                network.as_ref(),
                env,
--- a/codex-rs/cli/src/lib.rs
+++ b/codex-rs/cli/src/lib.rs
@@ -32,7 +32,7 @@ pub struct LandlockCommand {
    #[clap(skip)]
    pub config_overrides: CliConfigOverrides,

-    /// Full command args to run under landlock.
+    /// Full command args to run under the Linux sandbox.
    #[arg(trailing_var_arg = true)]
    pub command: Vec<String>,
 }
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -239,7 +239,7 @@ enum SandboxCommand {
    #[clap(visible_alias = "seatbelt")]
    Macos(SeatbeltCommand),

-    /// Run a command under Landlock+seccomp (Linux only).
+    /// Run a command under the Linux sandbox (bubblewrap by default).
    #[clap(visible_alias = "landlock")]
    Linux(LandlockCommand),