linux-sandbox: use standalone bundled bwrap (#21255)

**Summary** - Add `codex-bwrap`, a standalone `bwrap` binary built from the existing vendored bubblewrap sources. - Remove the linked vendored bwrap path from `codex-linux-sandbox`; runtime now prefers system `bwrap` and falls back to bundled `codex-resources/bwrap`. - Add bundled SHA-256 verification with missing/all-zero digest as the dev-mode skip value, then exec the verified file through `/proc/self/fd`. - Keep `launcher.rs` focused on choosing and dispatching the preferred launcher. Bundled lookup, digest verification, and bundled exec now live in `linux-sandbox/src/bundled_bwrap.rs`; Bazel runfiles lookup lives in `linux-sandbox/src/bazel_bwrap.rs`; shared argv/fd exec helpers live in `linux-sandbox/src/exec_util.rs`. - Teach Bazel tests to surface the Bazel-built `//codex-rs/bwrap:bwrap` through `CARGO_BIN_EXE_bwrap`; `codex-linux-sandbox` only honors that fallback in debug Bazel runfiles environments so release/user runtime lookup stays tied to `codex-resources/bwrap`. - Allow `codex-exec-server` filesystem helpers to preserve just the Bazel bwrap/runfiles variables they need in debug Bazel builds, since those helpers intentionally rebuild a small environment before spawning `codex-linux-sandbox`. - Verify the Bazel bwrap target in Linux release CI with a build-only check. Running `bwrap --version` is too strong for GitHub runners because bubblewrap still attempts namespace setup there. **Verification** - Latest update: `cargo test -p codex-linux-sandbox` - Latest update: `just fix -p codex-linux-sandbox` - `cargo check --target x86_64-unknown-linux-gnu -p codex-linux-sandbox` could not run locally because this macOS machine does not have `x86_64-linux-gnu-gcc`; GitHub Linux Bazel CI is expected to cover the Linux-only modules. - Earlier in this PR: `cargo test -p codex-bwrap` - Earlier in this PR: `cargo test -p codex-exec-server` - Earlier in this PR: `cargo check --release -p codex-exec-server` - Earlier in this PR: `just fix -p codex-linux-sandbox -p codex-exec-server` - Earlier in this PR: `bazel test --nobuild //codex-rs/linux-sandbox:linux-sandbox-all-test //codex-rs/core:core-all-test //codex-rs/exec-server:exec-server-file_system-test //codex-rs/app-server:app-server-all-test` (analysis completed; Bazel then refuses to run tests under `--nobuild`) - Earlier in this PR: `bazel build --nobuild //codex-rs/bwrap:bwrap` - Prior to this update: `just bazel-lock-update`, `just bazel-lock-check`, and YAML parse check for `.github/workflows/bazel.yml` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/21255). * #21257 * #21256 * __->__ #21255
2026-06-01 19:02:59 +00:00 · 2026-05-05 17:14:29 -07:00
parent 03d3403a41
commit 26f355b67b
27 changed files with 751 additions and 338 deletions
--- a/codex-rs/core/BUILD.bazel
+++ b/codex-rs/core/BUILD.bazel
@@ -52,6 +52,7 @@ codex_rust_crate(
    test_tags = ["no-sandbox"],
    unit_test_timeout = "long",
    extra_binaries = [
+        "//codex-rs/bwrap:bwrap",
        "//codex-rs/linux-sandbox:codex-linux-sandbox",
        "//codex-rs/rmcp-client:test_stdio_server",
        "//codex-rs/rmcp-client:test_streamable_http_server",
--- a/codex-rs/core/README.md
+++ b/codex-rs/core/README.md
@@ -39,14 +39,14 @@ The Linux sandbox helper prefers the first `bwrap` found on `PATH` outside the
 current working directory whenever it is available. If `bwrap` is present but
 too old to support `--argv0`, the helper keeps using system bubblewrap and
 switches to a no-`--argv0` compatibility path for the inner re-exec. If
-`bwrap` is missing, it falls back to the vendored bubblewrap path compiled into
-the binary and Codex surfaces a startup warning through its normal notification
-path instead of printing directly from the sandbox helper. Codex also surfaces
-a startup warning when bubblewrap cannot create user namespaces. WSL2 uses the
-normal Linux bubblewrap path. WSL1 is not supported for bubblewrap sandboxing
-because it cannot create the required user namespaces, so Codex rejects
-sandboxed shell commands that would enter the bubblewrap path before invoking
-`bwrap`.
+`bwrap` is missing, it falls back to the bundled `codex-resources/bwrap`
+binary shipped with Codex and Codex surfaces a startup warning through its
+normal notification path instead of printing directly from the sandbox helper.
+Codex also surfaces a startup warning when bubblewrap cannot create user
+namespaces. WSL2 uses the normal Linux bubblewrap path. WSL1 is not supported
+for bubblewrap sandboxing because it cannot create the required user
+namespaces, so Codex rejects sandboxed shell commands that would enter the
+bubblewrap path before invoking `bwrap`.

 ### Windows