codex: dispatch exec-server sandbox helper via argv0

Teach the standalone exec-server binary to run the Linux sandbox helper when it is re-execed with the codex-linux-sandbox argv0 alias. Point the exec-server sandbox transform at the current executable on Linux instead of requiring an env-provided helper path. Co-authored-by: Codex <noreply@openai.com>
2026-04-26 15:45:02 +00:00 · 2026-04-07 15:24:33 -07:00
parent 4e90a1a891
commit 3d5f1a4e56
5 changed files with 64 additions and 22 deletions
--- a/codex-rs/exec-server/src/bin/codex-exec-server.rs
+++ b/codex-rs/exec-server/src/bin/codex-exec-server.rs
@@ -1,4 +1,9 @@
+#[cfg(target_os = "linux")]
+use std::path::Path;
+
 use clap::Parser;
+#[cfg(target_os = "linux")]
+use codex_sandboxing::landlock::CODEX_LINUX_SANDBOX_ARG0;

 #[derive(Debug, Parser)]
 struct ExecServerArgs {
@@ -11,11 +16,30 @@ struct ExecServerArgs {
    listen: String,
 }

-#[tokio::main]
-async fn main() -> anyhow::Result<()> {
-    let args = ExecServerArgs::parse();
-    codex_exec_server::run_main_with_listen_url(&args.listen)
-        .await
-        .map_err(|err| anyhow::Error::msg(err.to_string()))?;
-    Ok(())
+fn main() -> anyhow::Result<()> {
+    dispatch_arg0();
+
+    let runtime = tokio::runtime::Runtime::new()?;
+    runtime.block_on(async {
+        let args = ExecServerArgs::parse();
+        codex_exec_server::run_main_with_listen_url(&args.listen)
+            .await
+            .map_err(|err| anyhow::Error::msg(err.to_string()))
+    })
 }
+
+#[cfg(target_os = "linux")]
+fn dispatch_arg0() {
+    let argv0 = std::env::args_os().next().unwrap_or_default();
+    let exe_name = Path::new(&argv0)
+        .file_name()
+        .and_then(|name| name.to_str())
+        .unwrap_or_default();
+
+    if exe_name == CODEX_LINUX_SANDBOX_ARG0 {
+        codex_linux_sandbox::run_main();
+    }
+}
+
+#[cfg(not(target_os = "linux"))]
+fn dispatch_arg0() {}
--- a/codex-rs/exec-server/src/local_process.rs
+++ b/codex-rs/exec-server/src/local_process.rs
@@ -104,9 +104,14 @@ struct ExecServerRuntimeConfig {

 impl ExecServerRuntimeConfig {
    fn detect() -> Self {
-        let env_path = std::env::var_os("CODEX_LINUX_SANDBOX_EXE").map(PathBuf::from);
        Self {
-            codex_linux_sandbox_exe: env_path,
+            // The Codex CLI and codex-exec-server both dispatch the Linux
+            // sandbox helper from their own executable via argv[0].
+            codex_linux_sandbox_exe: if cfg!(target_os = "linux") {
+                std::env::current_exe().ok()
+            } else {
+                None
+            },
        }
    }
 }