feat(linux-sandbox): add bwrap support (#9938)

## Summary This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The curent Linux sandbox path relies on in-process restrictions (including Landlock). Bubblewrap gives us a more uniform filesystem isolation model, especially explicit writable roots with the option to make some directories read-only and granular network controls. This is behind a feature flag so we can validate behavior safely before making it the default. - Added temporary rollout flag: - `features.use_linux_sandbox_bwrap` - Preserved existing default path when the flag is off. - In Bubblewrap mode: - Added internal retry without /proc when /proc mount is not permitted by the host/container.
2026-04-29 00:55:38 +00:00 · 2026-02-04 11:13:17 -08:00
parent 95269ce88b
commit ae4de43ccc
31 changed files with 607 additions and 517 deletions
--- a/codex-rs/linux-sandbox/src/vendored_bwrap.rs
+++ b/codex-rs/linux-sandbox/src/vendored_bwrap.rs
@@ -13,22 +13,35 @@ mod imp {
        fn bwrap_main(argc: libc::c_int, argv: *const *const c_char) -> libc::c_int;
    }

-    /// Execute the build-time bubblewrap `main` function with the given argv.
-    pub(crate) fn exec_vendored_bwrap(argv: Vec<String>) -> ! {
+    fn argv_to_cstrings(argv: &[String]) -> Vec<CString> {
        let mut cstrings: Vec<CString> = Vec::with_capacity(argv.len());
-        for arg in &argv {
+        for arg in argv {
            match CString::new(arg.as_str()) {
                Ok(value) => cstrings.push(value),
                Err(err) => panic!("failed to convert argv to CString: {err}"),
            }
        }
+        cstrings
+    }
+
+    /// Run the build-time bubblewrap `main` function and return its exit code.
+    ///
+    /// On success, bubblewrap will `execve` into the target program and this
+    /// function will never return. A return value therefore implies failure.
+    pub(crate) fn run_vendored_bwrap_main(argv: &[String]) -> libc::c_int {
+        let cstrings = argv_to_cstrings(argv);

        let mut argv_ptrs: Vec<*const c_char> = cstrings.iter().map(|arg| arg.as_ptr()).collect();
        argv_ptrs.push(std::ptr::null());

        // SAFETY: We provide a null-terminated argv vector whose pointers
        // remain valid for the duration of the call.
-        let exit_code = unsafe { bwrap_main(cstrings.len() as libc::c_int, argv_ptrs.as_ptr()) };
+        unsafe { bwrap_main(cstrings.len() as libc::c_int, argv_ptrs.as_ptr()) }
+    }
+
+    /// Execute the build-time bubblewrap `main` function with the given argv.
+    pub(crate) fn exec_vendored_bwrap(argv: Vec<String>) -> ! {
+        let exit_code = run_vendored_bwrap_main(&argv);
        std::process::exit(exit_code);
    }
 }
@@ -36,7 +49,7 @@ mod imp {
 #[cfg(not(vendored_bwrap_available))]
 mod imp {
    /// Panics with a clear error when the build-time bwrap path is not enabled.
-    pub(crate) fn exec_vendored_bwrap(_argv: Vec<String>) -> ! {
+    pub(crate) fn run_vendored_bwrap_main(_argv: &[String]) -> libc::c_int {
        panic!(
            "build-time bubblewrap is not available in this build.\n\
 Rebuild codex-linux-sandbox on Linux with CODEX_BWRAP_ENABLE_FFI=1.\n\
@@ -49,6 +62,13 @@ Notes:\n\
 - bubblewrap sources expected at codex-rs/vendor/bubblewrap (default)"
        );
    }
+
+    /// Panics with a clear error when the build-time bwrap path is not enabled.
+    pub(crate) fn exec_vendored_bwrap(_argv: Vec<String>) -> ! {
+        let _ = run_vendored_bwrap_main(&[]);
+        unreachable!("run_vendored_bwrap_main should always panic in this configuration")
+    }
 }

 pub(crate) use imp::exec_vendored_bwrap;
+pub(crate) use imp::run_vendored_bwrap_main;