feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)

## Summary Vendor Bubblewrap into the repo and add minimal build plumbing in `codex-linux-sandbox` to compile/link it. ## Why We want to move Linux sandboxing toward Bubblewrap, but in a safe two-step rollout: 1) vendoring/build setup (this PR), 2) runtime integration (follow-up PR). ## Included - Add `codex-rs/vendor/bubblewrap` sources. - Add build-time FFI path in `codex-rs/linux-sandbox`. - Update `build.rs` rerun tracking for vendored files. - Small vendored compile warning fix (`sockaddr_nl` full init). follow up in https://github.com/openai/codex/pull/9938
2026-05-01 03:42:05 +03:00 · 2026-02-02 23:33:46 -08:00
parent 53d8474061
commit f956cc2a02
57 changed files with 11261 additions and 6 deletions
--- a/codex-rs/vendor/bubblewrap/bind-mount.h
+++ b/codex-rs/vendor/bubblewrap/bind-mount.h
@@ -0,0 +1,54 @@
+/* bubblewrap
+ * Copyright (C) 2016 Alexander Larsson
+ * SPDX-License-Identifier: LGPL-2.0-or-later
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#pragma once
+
+#include "utils.h"
+
+typedef enum {
+  BIND_READONLY = (1 << 0),
+  BIND_DEVICES = (1 << 2),
+  BIND_RECURSIVE = (1 << 3),
+} bind_option_t;
+
+typedef enum
+{
+  BIND_MOUNT_SUCCESS = 0,
+  BIND_MOUNT_ERROR_MOUNT,
+  BIND_MOUNT_ERROR_REALPATH_DEST,
+  BIND_MOUNT_ERROR_REOPEN_DEST,
+  BIND_MOUNT_ERROR_READLINK_DEST_PROC_FD,
+  BIND_MOUNT_ERROR_FIND_DEST_MOUNT,
+  BIND_MOUNT_ERROR_REMOUNT_DEST,
+  BIND_MOUNT_ERROR_REMOUNT_SUBMOUNT,
+} bind_mount_result;
+
+bind_mount_result bind_mount (int           proc_fd,
+                              const char   *src,
+                              const char   *dest,
+                              bind_option_t options,
+                              char        **failing_path);
+
+void die_with_bind_result (bind_mount_result res,
+                           int               saved_errno,
+                           const char       *failing_path,
+                           const char       *format,
+                           ...)
+  __attribute__((__noreturn__))
+  __attribute__((format (printf, 4, 5)));