mirror of
https://github.com/openai/codex.git
synced 2026-04-29 10:53:24 +03:00
0d1539e74c
## Problem Ubuntu/AppArmor hosts started failing in the default Linux sandbox path after the switch to vendored/default bubblewrap in `0.115.0`. The clearest report is in [#14919](https://github.com/openai/codex/issues/14919), especially [this investigation comment](https://github.com/openai/codex/issues/14919#issuecomment-4076504751): on affected Ubuntu systems, `/usr/bin/bwrap` works, but a copied or vendored `bwrap` binary fails with errors like `bwrap: setting up uid map: Permission denied` or `bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted`. The root cause is Ubuntu's `/etc/apparmor.d/bwrap-userns-restrict` profile, which grants `userns` access specifically to `/usr/bin/bwrap`. Once Codex started using a vendored/internal bubblewrap path, that path was no longer covered by the distro AppArmor exception, so sandbox namespace setup could fail even when user namespaces were otherwise enabled and `uidmap` was installed. ## What this PR changes - prefer system `/usr/bin/bwrap` whenever it is available - keep vendored bubblewrap as the fallback when `/usr/bin/bwrap` is missing - when `/usr/bin/bwrap` is missing, surface a Codex startup warning through the app-server/TUI warning path instead of printing directly from the sandbox helper with `eprintln!` - use the same launcher decision for both the main sandbox execution path and the `/proc` preflight path - document the updated Linux bubblewrap behavior in the Linux sandbox and core READMEs ## Why this fix This still fixes the Ubuntu/AppArmor regression from [#14919](https://github.com/openai/codex/issues/14919), but it keeps the runtime rule simple and platform-agnostic: if the standard system bubblewrap is installed, use it; otherwise fall back to the vendored helper. The warning now follows that same simple rule. If Codex cannot find `/usr/bin/bwrap`, it tells the user that it is falling back to the vendored helper, and it does so through the existing startup warning plumbing that reaches the TUI and app-server instead of low-level sandbox stderr. ## Testing - `cargo test -p codex-linux-sandbox` - `cargo test -p codex-app-server --lib` - `cargo test -p codex-tui-app-server tests::embedded_app_server_start_failure_is_returned` - `cargo clippy -p codex-linux-sandbox --all-targets` - `cargo clippy -p codex-app-server --all-targets` - `cargo clippy -p codex-tui-app-server --all-targets`
135 lines
4.5 KiB
Rust
135 lines
4.5 KiB
Rust
use std::ffi::CString;
|
|
use std::fs::File;
|
|
use std::os::fd::AsRawFd;
|
|
use std::os::raw::c_char;
|
|
use std::os::unix::ffi::OsStrExt;
|
|
use std::path::Path;
|
|
|
|
use crate::vendored_bwrap::exec_vendored_bwrap;
|
|
use codex_utils_absolute_path::AbsolutePathBuf;
|
|
|
|
const SYSTEM_BWRAP_PATH: &str = "/usr/bin/bwrap";
|
|
|
|
#[derive(Debug, Clone, PartialEq, Eq)]
|
|
enum BubblewrapLauncher {
|
|
System(AbsolutePathBuf),
|
|
Vendored,
|
|
}
|
|
|
|
pub(crate) fn exec_bwrap(argv: Vec<String>, preserved_files: Vec<File>) -> ! {
|
|
match preferred_bwrap_launcher() {
|
|
BubblewrapLauncher::System(program) => exec_system_bwrap(&program, argv, preserved_files),
|
|
BubblewrapLauncher::Vendored => exec_vendored_bwrap(argv, preserved_files),
|
|
}
|
|
}
|
|
|
|
fn preferred_bwrap_launcher() -> BubblewrapLauncher {
|
|
if !Path::new(SYSTEM_BWRAP_PATH).is_file() {
|
|
return BubblewrapLauncher::Vendored;
|
|
}
|
|
|
|
let system_bwrap_path = match AbsolutePathBuf::from_absolute_path(SYSTEM_BWRAP_PATH) {
|
|
Ok(path) => path,
|
|
Err(err) => panic!("failed to normalize system bubblewrap path {SYSTEM_BWRAP_PATH}: {err}"),
|
|
};
|
|
BubblewrapLauncher::System(system_bwrap_path)
|
|
}
|
|
|
|
fn exec_system_bwrap(
|
|
program: &AbsolutePathBuf,
|
|
argv: Vec<String>,
|
|
preserved_files: Vec<File>,
|
|
) -> ! {
|
|
// System bwrap runs across an exec boundary, so preserved fds must survive exec.
|
|
make_files_inheritable(&preserved_files);
|
|
|
|
let program_path = program.as_path().display().to_string();
|
|
let program = CString::new(program.as_path().as_os_str().as_bytes())
|
|
.unwrap_or_else(|err| panic!("invalid system bubblewrap path: {err}"));
|
|
let cstrings = argv_to_cstrings(&argv);
|
|
let mut argv_ptrs: Vec<*const c_char> = cstrings.iter().map(|arg| arg.as_ptr()).collect();
|
|
argv_ptrs.push(std::ptr::null());
|
|
|
|
// SAFETY: `program` and every entry in `argv_ptrs` are valid C strings for
|
|
// the duration of the call. On success `execv` does not return.
|
|
unsafe {
|
|
libc::execv(program.as_ptr(), argv_ptrs.as_ptr());
|
|
}
|
|
let err = std::io::Error::last_os_error();
|
|
panic!("failed to exec system bubblewrap {program_path}: {err}");
|
|
}
|
|
|
|
fn argv_to_cstrings(argv: &[String]) -> Vec<CString> {
|
|
let mut cstrings: Vec<CString> = Vec::with_capacity(argv.len());
|
|
for arg in argv {
|
|
match CString::new(arg.as_str()) {
|
|
Ok(value) => cstrings.push(value),
|
|
Err(err) => panic!("failed to convert argv to CString: {err}"),
|
|
}
|
|
}
|
|
cstrings
|
|
}
|
|
|
|
fn make_files_inheritable(files: &[File]) {
|
|
for file in files {
|
|
clear_cloexec(file.as_raw_fd());
|
|
}
|
|
}
|
|
|
|
fn clear_cloexec(fd: libc::c_int) {
|
|
// SAFETY: `fd` is an owned descriptor kept alive by `files`.
|
|
let flags = unsafe { libc::fcntl(fd, libc::F_GETFD) };
|
|
if flags < 0 {
|
|
let err = std::io::Error::last_os_error();
|
|
panic!("failed to read fd flags for preserved bubblewrap file descriptor {fd}: {err}");
|
|
}
|
|
let cleared_flags = flags & !libc::FD_CLOEXEC;
|
|
if cleared_flags == flags {
|
|
return;
|
|
}
|
|
|
|
// SAFETY: `fd` is valid and we are only clearing FD_CLOEXEC.
|
|
let result = unsafe { libc::fcntl(fd, libc::F_SETFD, cleared_flags) };
|
|
if result < 0 {
|
|
let err = std::io::Error::last_os_error();
|
|
panic!("failed to clear CLOEXEC for preserved bubblewrap file descriptor {fd}: {err}");
|
|
}
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
use pretty_assertions::assert_eq;
|
|
use tempfile::NamedTempFile;
|
|
|
|
#[test]
|
|
fn preserved_files_are_made_inheritable_for_system_exec() {
|
|
let file = NamedTempFile::new().expect("temp file");
|
|
set_cloexec(file.as_file().as_raw_fd());
|
|
|
|
make_files_inheritable(std::slice::from_ref(file.as_file()));
|
|
|
|
assert_eq!(fd_flags(file.as_file().as_raw_fd()) & libc::FD_CLOEXEC, 0);
|
|
}
|
|
|
|
fn set_cloexec(fd: libc::c_int) {
|
|
let flags = fd_flags(fd);
|
|
// SAFETY: `fd` is valid for the duration of the test.
|
|
let result = unsafe { libc::fcntl(fd, libc::F_SETFD, flags | libc::FD_CLOEXEC) };
|
|
if result < 0 {
|
|
let err = std::io::Error::last_os_error();
|
|
panic!("failed to set CLOEXEC for test fd {fd}: {err}");
|
|
}
|
|
}
|
|
|
|
fn fd_flags(fd: libc::c_int) -> libc::c_int {
|
|
// SAFETY: `fd` is valid for the duration of the test.
|
|
let flags = unsafe { libc::fcntl(fd, libc::F_GETFD) };
|
|
if flags < 0 {
|
|
let err = std::io::Error::last_os_error();
|
|
panic!("failed to read fd flags for test fd {fd}: {err}");
|
|
}
|
|
flags
|
|
}
|
|
}
|