feat(linux-sandbox): add bwrap support (#9938)

## Summary This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The curent Linux sandbox path relies on in-process restrictions (including Landlock). Bubblewrap gives us a more uniform filesystem isolation model, especially explicit writable roots with the option to make some directories read-only and granular network controls. This is behind a feature flag so we can validate behavior safely before making it the default. - Added temporary rollout flag: - `features.use_linux_sandbox_bwrap` - Preserved existing default path when the flag is off. - In Bubblewrap mode: - Added internal retry without /proc when /proc mount is not permitted by the host/container.
2026-06-01 19:02:59 +00:00 · 2026-02-04 11:13:17 -08:00
parent 95269ce88b
commit ae4de43ccc
31 changed files with 607 additions and 517 deletions
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -8,6 +8,7 @@ retry without sandbox on denial (no re‑approval thanks to caching).
 use crate::error::CodexErr;
 use crate::error::SandboxErr;
 use crate::exec::ExecToolCallOutput;
+use crate::features::Feature;
 use crate::sandboxing::SandboxManager;
 use crate::tools::sandboxing::ApprovalCtx;
 use crate::tools::sandboxing::ExecApprovalRequirement;
@@ -97,12 +98,14 @@ impl ToolOrchestrator {

        // Platform-specific flag gating is handled by SandboxManager::select_initial
        // via crate::safety::get_platform_sandbox(..).
+        let use_linux_sandbox_bwrap = turn_ctx.features.enabled(Feature::UseLinuxSandboxBwrap);
        let initial_attempt = SandboxAttempt {
            sandbox: initial_sandbox,
            policy: &turn_ctx.sandbox_policy,
            manager: &self.sandbox,
            sandbox_cwd: &turn_ctx.cwd,
            codex_linux_sandbox_exe: turn_ctx.codex_linux_sandbox_exe.as_ref(),
+            use_linux_sandbox_bwrap,
            windows_sandbox_level: turn_ctx.windows_sandbox_level,
        };

@@ -154,6 +157,7 @@ impl ToolOrchestrator {
                    manager: &self.sandbox,
                    sandbox_cwd: &turn_ctx.cwd,
                    codex_linux_sandbox_exe: None,
+                    use_linux_sandbox_bwrap,
                    windows_sandbox_level: turn_ctx.windows_sandbox_level,
                };

--- a/codex-rs/core/src/tools/sandboxing.rs
+++ b/codex-rs/core/src/tools/sandboxing.rs
@@ -274,6 +274,7 @@ pub(crate) struct SandboxAttempt<'a> {
    pub(crate) manager: &'a SandboxManager,
    pub(crate) sandbox_cwd: &'a Path,
    pub codex_linux_sandbox_exe: Option<&'a std::path::PathBuf>,
+    pub use_linux_sandbox_bwrap: bool,
    pub windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel,
 }

@@ -282,14 +283,16 @@ impl<'a> SandboxAttempt<'a> {
        &self,
        spec: CommandSpec,
    ) -> Result<crate::sandboxing::ExecEnv, SandboxTransformError> {
-        self.manager.transform(
-            spec,
-            self.policy,
-            self.sandbox,
-            self.sandbox_cwd,
-            self.codex_linux_sandbox_exe,
-            self.windows_sandbox_level,
-        )
+        self.manager
+            .transform(crate::sandboxing::SandboxTransformRequest {
+                spec,
+                policy: self.policy,
+                sandbox: self.sandbox,
+                sandbox_policy_cwd: self.sandbox_cwd,
+                codex_linux_sandbox_exe: self.codex_linux_sandbox_exe,
+                use_linux_sandbox_bwrap: self.use_linux_sandbox_bwrap,
+                windows_sandbox_level: self.windows_sandbox_level,
+            })
    }
 }