clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-25 15:15:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(linux-sandbox): ignore missing writable roots (#14890)

Browse Source 
## Summary
- skip nonexistent `workspace-write` writable roots in the Linux
bubblewrap mount builder instead of aborting sandbox startup
- keep existing writable roots mounted normally so mixed Windows/WSL
configs continue to work
- add unit and Linux integration regression coverage for the
missing-root case

## Context
This addresses regression A from #14875. Regression B will be handled in
a separate PR.

The old bubblewrap integration added `ensure_mount_targets_exist` as a
preflight guard because bubblewrap bind targets must exist, and failing
early let Codex return a clearer error than a lower-level mount failure.

That policy turned out to be too strict once bubblewrap became the
default Linux sandbox: shared Windows/WSL or mixed-platform configs can
legitimately contain a well-formed writable root that does not exist on
the current machine. This PR keeps bubblewrap's existing-target
requirement, but changes Codex to skip missing writable roots instead of
treating them as fatal configuration errors.
This commit is contained in:
viyatb-oai
2026-03-17 00:21:00 -07:00
committed by GitHub
parent d37dcca7e0
commit 603b6493a9
2 changed files with 71 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
codex-rs/linux-sandbox/tests/suite/landlock.rs
View File

@@ -310,6 +310,32 @@ async fn test_writable_root() {
.await;
}
#[tokio::test]
async fn sandbox_ignores_missing_writable_roots_under_bwrap() {
if should_skip_bwrap_tests().await {
eprintln!("skipping bwrap test: bwrap sandbox prerequisites are unavailable");
return;
}
let tempdir = tempfile::tempdir().expect("tempdir");
let existing_root = tempdir.path().join("existing");
let missing_root = tempdir.path().join("missing");
std::fs::create_dir(&existing_root).expect("create existing root");
let output = run_cmd_result_with_writable_roots(
&["bash", "-lc", "printf sandbox-ok"],
&[existing_root, missing_root],
LONG_TIMEOUT_MS,
false,
true,
)
.await
.expect("sandboxed command should execute");
assert_eq!(output.exit_code, 0);
assert_eq!(output.stdout.text, "sandbox-ok");
}
#[tokio::test]
async fn test_no_new_privs_is_enabled() {
let output = run_cmd_output(