feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)

## Summary Vendor Bubblewrap into the repo and add minimal build plumbing in `codex-linux-sandbox` to compile/link it. ## Why We want to move Linux sandboxing toward Bubblewrap, but in a safe two-step rollout: 1) vendoring/build setup (this PR), 2) runtime integration (follow-up PR). ## Included - Add `codex-rs/vendor/bubblewrap` sources. - Add build-time FFI path in `codex-rs/linux-sandbox`. - Update `build.rs` rerun tracking for vendored files. - Small vendored compile warning fix (`sockaddr_nl` full init). follow up in https://github.com/openai/codex/pull/9938
2026-05-02 12:21:26 +03:00 · 2026-02-02 23:33:46 -08:00
parent 53d8474061
commit f956cc2a02
57 changed files with 11261 additions and 6 deletions
--- a/codex-rs/vendor/bubblewrap/ci/builddeps.sh
+++ b/codex-rs/vendor/bubblewrap/ci/builddeps.sh
@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# Copyright 2021 Simon McVittie
+# SPDX-License-Identifier: LGPL-2.0-or-later
+
+set -eux
+set -o pipefail
+
+usage() {
+    if [ "${1-2}" -ne 0 ]; then
+        exec >&2
+    fi
+    cat <<EOF
+Usage: see source code
+EOF
+    exit "${1-2}"
+}
+
+opt_clang=
+
+getopt_temp="help"
+getopt_temp="$getopt_temp,clang"
+
+getopt_temp="$(getopt -o '' --long "${getopt_temp}" -n "$0" -- "$@")"
+eval set -- "$getopt_temp"
+unset getopt_temp
+
+while true; do
+    case "$1" in
+        (--clang)
+            clang=yes
+            shift
+            ;;
+
+        (--help)
+            usage 0
+            # not reached
+            ;;
+
+        (--)
+            shift
+            break
+            ;;
+
+        (*)
+            echo 'Error parsing options' >&2
+            usage 2
+            ;;
+    esac
+done
+
+# No more arguments please
+for arg in "$@"; do
+    usage 2
+done
+
+if dpkg-vendor --derives-from Debian; then
+    apt-get -y update
+    apt-get -q -y install \
+        build-essential \
+        docbook-xml \
+        docbook-xsl \
+        libcap-dev \
+        libselinux1-dev \
+        libtool \
+        meson \
+        pkg-config \
+        python3 \
+        xsltproc \
+        ${NULL+}
+
+    if [ -n "${opt_clang}" ]; then
+        apt-get -y install clang
+    fi
+
+    exit 0
+fi
+
+if command -v yum; then
+    yum -y install \
+        'pkgconfig(libselinux)' \
+        /usr/bin/eu-readelf \
+        docbook-style-xsl \
+        gcc \
+        git \
+        libasan \
+        libcap-devel \
+        libtool \
+        libtsan \
+        libubsan \
+        libxslt \
+        make \
+        meson \
+        redhat-rpm-config \
+        rsync \
+        ${NULL+}
+
+    if [ -n "${opt_clang}" ]; then
+        yum -y install clang
+    fi
+
+    exit 0
+fi
+
+echo "Unknown distribution" >&2
+exit 1
+
+# vim:set sw=4 sts=4 et:
--- a/codex-rs/vendor/bubblewrap/ci/enable-userns.sh
+++ b/codex-rs/vendor/bubblewrap/ci/enable-userns.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+
+echo "kernel.apparmor_restrict_unprivileged_userns = 0" > /etc/sysctl.d/99-userns.conf
+sysctl --system