feat(linux-sandbox): add bwrap support (#9938)

## Summary This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The curent Linux sandbox path relies on in-process restrictions (including Landlock). Bubblewrap gives us a more uniform filesystem isolation model, especially explicit writable roots with the option to make some directories read-only and granular network controls. This is behind a feature flag so we can validate behavior safely before making it the default. - Added temporary rollout flag: - `features.use_linux_sandbox_bwrap` - Preserved existing default path when the flag is off. - In Bubblewrap mode: - Added internal retry without /proc when /proc mount is not permitted by the host/container.
2026-05-05 22:01:37 +03:00 · 2026-02-04 11:13:17 -08:00
parent 95269ce88b
commit ae4de43ccc
31 changed files with 607 additions and 517 deletions
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -140,6 +140,7 @@ pub async fn process_exec_tool_call(
    sandbox_policy: &SandboxPolicy,
    sandbox_cwd: &Path,
    codex_linux_sandbox_exe: &Option<PathBuf>,
+    use_linux_sandbox_bwrap: bool,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<ExecToolCallOutput> {
    let windows_sandbox_level = params.windows_sandbox_level;
@@ -184,14 +185,15 @@ pub async fn process_exec_tool_call(

    let manager = SandboxManager::new();
    let exec_env = manager
-        .transform(
+        .transform(crate::sandboxing::SandboxTransformRequest {
            spec,
-            sandbox_policy,
-            sandbox_type,
-            sandbox_cwd,
-            codex_linux_sandbox_exe.as_ref(),
+            policy: sandbox_policy,
+            sandbox: sandbox_type,
+            sandbox_policy_cwd: sandbox_cwd,
+            codex_linux_sandbox_exe: codex_linux_sandbox_exe.as_ref(),
+            use_linux_sandbox_bwrap,
            windows_sandbox_level,
-        )
+        })
        .map_err(CodexErr::from)?;

    // Route through the sandboxing module for a single, unified execution path.
@@ -1108,6 +1110,7 @@ mod tests {
            &SandboxPolicy::DangerFullAccess,
            cwd.as_path(),
            &None,
+            false,
            None,
        )
        .await;