feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)

## Summary

Vendor Bubblewrap into the repo and add minimal build plumbing in
`codex-linux-sandbox` to compile/link it.

## Why

We want to move Linux sandboxing toward Bubblewrap, but in a safe
two-step rollout:
1) vendoring/build setup (this PR),  
2) runtime integration (follow-up PR).

## Included

- Add `codex-rs/vendor/bubblewrap` sources.
- Add build-time FFI path in `codex-rs/linux-sandbox`.
- Update `build.rs` rerun tracking for vendored files.
- Small vendored compile warning fix (`sockaddr_nl` full init).

follow up in https://github.com/openai/codex/pull/9938

codex-rs/vendor/bubblewrap/demos/bubblewrap-shell.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Use bubblewrap to run /bin/sh reusing the host OS binaries (/usr), but with
+# separate /tmp, /home, /var, /run, and /etc. For /etc we just inherit the
+# host's resolv.conf, and set up "stub" passwd/group files.  Not sharing
+# /home for example is intentional.  If you wanted to, you could design
+# a bwrap-using program that shared individual parts of /home, perhaps
+# public content.
+#
+# Another way to build on this example is to remove --share-net to disable
+# networking.
+set -euo pipefail
+(exec bwrap --ro-bind /usr /usr \
+      --dir /tmp \
+      --dir /var \
+      --symlink ../tmp var/tmp \
+      --proc /proc \
+      --dev /dev \
+      --ro-bind /etc/resolv.conf /etc/resolv.conf \
+      --symlink usr/lib /lib \
+      --symlink usr/lib64 /lib64 \
+      --symlink usr/bin /bin \
+      --symlink usr/sbin /sbin \
+      --chdir / \
+      --unshare-all \
+      --share-net \
+      --die-with-parent \
+      --dir /run/user/$(id -u) \
+      --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
+      --setenv PS1 "bwrap-demo$ " \
+      --file 11 /etc/passwd \
+      --file 12 /etc/group \
+      /bin/sh) \
+    11< <(getent passwd $UID 65534) \
+    12< <(getent group $(id -g) 65534)

codex-rs/vendor/bubblewrap/demos/flatpak-run.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# For this to work you first have to run these commands:
+#  curl -O http://sdk.gnome.org/nightly/keys/nightly.gpg
+#  flatpak --user remote-add --gpg-key=nightly.gpg gnome-nightly http://sdk.gnome.org/nightly/repo/
+#  flatpak --user install gnome-nightly org.gnome.Platform
+#  flatpak --user install gnome-nightly org.gnome.Weather
+
+mkdir -p ~/.var/app/org.gnome.Weather/cache ~/.var/app/org.gnome.Weather/config ~/.var/app/org.gnome.Weather/data
+
+(
+    exec bwrap \
+    --ro-bind ~/.local/share/flatpak/runtime/org.gnome.Platform/x86_64/master/active/files /usr \
+    --lock-file /usr/.ref \
+    --ro-bind ~/.local/share/flatpak/app/org.gnome.Weather/x86_64/master/active/files/ /app \
+    --lock-file /app/.ref \
+    --dev /dev \
+    --proc /proc \
+    --dir /tmp \
+    --symlink /tmp /var/tmp \
+    --symlink /run /var/run \
+    --symlink usr/lib /lib \
+    --symlink usr/lib64 /lib64 \
+    --symlink usr/bin /bin \
+    --symlink usr/sbin /sbin \
+    --symlink usr/etc /etc \
+    --dir /run/user/`id -u` \
+    --ro-bind /etc/machine-id /usr/etc/machine-id \
+    --ro-bind /etc/resolv.conf /run/host/monitor/resolv.conf \
+    --ro-bind /sys/block /sys/block \
+    --ro-bind /sys/bus /sys/bus \
+    --ro-bind /sys/class /sys/class \
+    --ro-bind /sys/dev /sys/dev \
+    --ro-bind /sys/devices /sys/devices \
+    --dev-bind /dev/dri /dev/dri \
+    --bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X99 \
+    --bind ~/.var/app/org.gnome.Weather ~/.var/app/org.gnome.Weather \
+    --bind ~/.config/dconf ~/.config/dconf \
+    --bind /run/user/`id -u`/dconf /run/user/`id -u`/dconf  \
+    --unshare-pid \
+    --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
+    --setenv DISPLAY :99 \
+    --setenv GI_TYPELIB_PATH /app/lib/girepository-1.0 \
+    --setenv GST_PLUGIN_PATH /app/lib/gstreamer-1.0 \
+    --setenv LD_LIBRARY_PATH /app/lib:/usr/lib/GL \
+    --setenv DCONF_USER_CONFIG_DIR .config/dconf \
+    --setenv PATH /app/bin:/usr/bin \
+    --setenv XDG_CONFIG_DIRS /app/etc/xdg:/etc/xdg \
+    --setenv XDG_DATA_DIRS /app/share:/usr/share \
+    --setenv SHELL /bin/sh \
+    --setenv XDG_CACHE_HOME ~/.var/app/org.gnome.Weather/cache \
+    --setenv XDG_CONFIG_HOME ~/.var/app/org.gnome.Weather/config \
+    --setenv XDG_DATA_HOME ~/.var/app/org.gnome.Weather/data \
+    --file 10 /run/user/`id -u`/flatpak-info \
+    --bind-data 11 /usr/etc/passwd \
+    --bind-data 12 /usr/etc/group \
+    --seccomp 13 \
+    /bin/sh) \
+    11< <(getent passwd $UID 65534 ) \
+    12< <(getent group $(id -g) 65534)  \
+    13< `dirname $0`/flatpak.bpf \
+    10<<EOF
+[Application]
+name=org.gnome.Weather
+runtime=runtime/org.gnome.Platform/x86_64/master
+EOF

codex-rs/vendor/bubblewrap/demos/userns-block-fd.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import os, select, subprocess, sys, json
+
+pipe_info = os.pipe()
+userns_block = os.pipe()
+
+pid = os.fork()
+
+if pid != 0:
+    os.close(pipe_info[1])
+    os.close(userns_block[0])
+
+    select.select([pipe_info[0]], [], [])
+
+    data = json.load(os.fdopen(pipe_info[0]))
+    child_pid = str(data['child-pid'])
+
+    subprocess.call(["newuidmap", child_pid, "0", str(os.getuid()), "1"])
+    subprocess.call(["newgidmap", child_pid, "0", str(os.getgid()), "1"])
+
+    os.write(userns_block[1], b'1')
+else:
+    os.close(pipe_info[0])
+    os.close(userns_block[1])
+
+    os.set_inheritable(pipe_info[1], True)
+    os.set_inheritable(userns_block[0], True)
+
+    args = ["bwrap",
+            "bwrap",
+            "--unshare-all",
+            "--unshare-user",
+            "--userns-block-fd", "%i" % userns_block[0],
+            "--info-fd", "%i" % pipe_info[1],
+            "--bind", "/", "/",
+            "cat", "/proc/self/uid_map"]
+
+    os.execlp(*args)