mirrors/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-02 04:11:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)

Browse Source 
## Summary

Vendor Bubblewrap into the repo and add minimal build plumbing in
`codex-linux-sandbox` to compile/link it.

## Why

We want to move Linux sandboxing toward Bubblewrap, but in a safe
two-step rollout:
1) vendoring/build setup (this PR),  
2) runtime integration (follow-up PR).

## Included

- Add `codex-rs/vendor/bubblewrap` sources.
- Add build-time FFI path in `codex-rs/linux-sandbox`.
- Update `build.rs` rerun tracking for vendored files.
- Small vendored compile warning fix (`sockaddr_nl` full init).

follow up in https://github.com/openai/codex/pull/9938
This commit is contained in:
viyatb-oai
2026-02-02 23:33:46 -08:00
committed by GitHub
parent 53d8474061
commit f956cc2a02
57 changed files with 11261 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
codex-rs/linux-sandbox/src/lib.rs
View File

@@ -1,9 +1,16 @@
//! Linux sandbox helper entry point.
//!
//! On Linux, `codex-linux-sandbox` applies:
//! - in-process restrictions (`no_new_privs` + seccomp), and
//! - bubblewrap for filesystem isolation.
#[cfg(target_os = "linux")]
mod bwrap;
#[cfg(target_os = "linux")]
mod landlock;
#[cfg(target_os = "linux")]
mod linux_run_main;
#[cfg(target_os = "linux")]
mod mounts;
mod vendored_bwrap;
#[cfg(target_os = "linux")]
pub fn run_main() -> ! {