Fallback to vendored bwrap without --argv0 support

2026-04-30 11:21:34 +03:00 · 2026-03-21 10:34:32 -07:00
parent fe287ac467
commit f0ea745277
2 changed files with 39 additions and 5 deletions
--- a/codex-rs/linux-sandbox/README.md
+++ b/codex-rs/linux-sandbox/README.md
@@ -8,17 +8,18 @@ This crate is responsible for producing:
  - this should also be true of the `codex` multitool CLI

 On Linux, the bubblewrap pipeline prefers the system `/usr/bin/bwrap` whenever
-it is available. If `/usr/bin/bwrap` is missing, the helper still falls back to
-the vendored bubblewrap path compiled into this binary.
+it is available and supports the flags Codex requires. If `/usr/bin/bwrap` is
+missing or too old to support `--argv0`, the helper falls back to the vendored
+bubblewrap path compiled into this binary.
 Codex also surfaces a startup warning when `/usr/bin/bwrap` is missing so users
 know it is falling back to the vendored helper.

 **Current Behavior**
 - Legacy `SandboxPolicy` / `sandbox_mode` configs remain supported.
 - Bubblewrap is the default filesystem sandbox pipeline.
- If `/usr/bin/bwrap` is present, the helper uses it.
- If `/usr/bin/bwrap` is missing, the helper falls back to the vendored
-  bubblewrap path.
+- If `/usr/bin/bwrap` is present and supports `--argv0`, the helper uses it.
+- If `/usr/bin/bwrap` is missing or too old to support `--argv0`, the helper
+  falls back to the vendored bubblewrap path.
 - If `/usr/bin/bwrap` is missing, Codex also surfaces a startup warning instead
  of printing directly from the sandbox helper.
 - Legacy Landlock + mount protections remain available as an explicit legacy