clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-30 17:36:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: make bubblewrap the default Linux sandbox (#13996)

Browse Source 
## Summary
- make bubblewrap the default Linux sandbox and keep
`use_legacy_landlock` as the only override
- remove `use_linux_sandbox_bwrap` from feature, config, schema, and
docs surfaces
- update Linux sandbox selection, CLI/config plumbing, and related
tests/docs to match the new default
- fold in the follow-up CI fixes for request-permissions responses and
Linux read-only sandbox error text
This commit is contained in:
viyatb-oai
2026-03-11 23:31:18 -07:00
committed by GitHub
parent b5f927b973
commit 04892b4ceb
29 changed files with 184 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
codex-rs/linux-sandbox/src/linux_run_main_tests.rs
View File

@@ -127,7 +127,6 @@ fn managed_proxy_inner_command_includes_route_spec() {
sandbox_policy: &sandbox_policy,
file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
network_sandbox_policy: NetworkSandboxPolicy::Restricted,
use_bwrap_sandbox: true,
allow_network_for_proxy: true,
proxy_route_spec: Some("{\"routes\":[]}".to_string()),
command: vec!["/bin/true".to_string()],
@@ -145,7 +144,6 @@ fn inner_command_includes_split_policy_flags() {
sandbox_policy: &sandbox_policy,
file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
network_sandbox_policy: NetworkSandboxPolicy::Restricted,
use_bwrap_sandbox: true,
allow_network_for_proxy: false,
proxy_route_spec: None,
command: vec!["/bin/true".to_string()],
@@ -163,7 +161,6 @@ fn non_managed_inner_command_omits_route_spec() {
sandbox_policy: &sandbox_policy,
file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
network_sandbox_policy: NetworkSandboxPolicy::Restricted,
use_bwrap_sandbox: true,
allow_network_for_proxy: false,
proxy_route_spec: None,
command: vec!["/bin/true".to_string()],
@@ -181,7 +178,6 @@ fn managed_proxy_inner_command_requires_route_spec() {
sandbox_policy: &sandbox_policy,
file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
network_sandbox_policy: NetworkSandboxPolicy::Restricted,
use_bwrap_sandbox: true,
allow_network_for_proxy: true,
proxy_route_spec: None,
command: vec!["/bin/true".to_string()],
@@ -244,8 +240,8 @@ fn resolve_sandbox_policies_rejects_partial_split_policies() {
}
#[test]
fn apply_seccomp_then_exec_without_bwrap_panics() {
let result = std::panic::catch_unwind(|| ensure_inner_stage_mode_is_valid(true, false));
fn apply_seccomp_then_exec_with_legacy_landlock_panics() {
let result = std::panic::catch_unwind(|| ensure_inner_stage_mode_is_valid(true, true));
assert!(result.is_err());
}
@@ -253,5 +249,5 @@ fn apply_seccomp_then_exec_without_bwrap_panics() {
fn valid_inner_stage_modes_do_not_panic() {
ensure_inner_stage_mode_is_valid(false, false);
ensure_inner_stage_mode_is_valid(false, true);
ensure_inner_stage_mode_is_valid(true, true);
ensure_inner_stage_mode_is_valid(true, false);
}