feat(linux-sandbox): implement proxy-only egress via TCP-UDS-TCP bridge (#11293)

## Summary - Implement Linux proxy-only routing in `codex-rs/linux-sandbox` with a two-stage bridge: host namespace `loopback TCP proxy endpoint -> UDS`, then bwrap netns `loopback TCP listener -> host UDS`. - Add hidden `--proxy-route-spec` plumbing for outer-to-inner stage handoff. - Fail closed in proxy mode when no valid loopback proxy endpoints can be routed. - Introduce explicit network seccomp modes: `Restricted` (legacy restricted networking) and `ProxyRouted` (allow INET/INET6 for routed proxy access, deny `AF_UNIX` and `socketpair`). - Enforce that proxy bridge/routing is bwrap-only by validating `--apply-seccomp-then-exec` requires `--use-bwrap-sandbox`. - Keep landlock-only flows unchanged (no proxy bridge behavior outside bwrap). --------- Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
2026-04-29 17:06:51 +00:00 · 2026-02-21 10:16:34 -08:00
parent e7b6f38b58
commit b3202cbd58
11 changed files with 1501 additions and 149 deletions
--- a/codex-rs/linux-sandbox/src/bwrap.rs
+++ b/codex-rs/linux-sandbox/src/bwrap.rs
@@ -49,8 +49,8 @@ pub(crate) enum BwrapNetworkMode {
    Isolated,
    /// Intended proxy-only mode.
    ///
-    /// Bubblewrap does not currently enforce proxy-only egress, so this is
-    /// treated as isolated for fail-closed behavior.
+    /// Bubblewrap enforces this by unsharing the network namespace. The
+    /// proxy-routing bridge is established by the helper process after startup.
    ProxyOnly,
 }

@@ -323,6 +323,7 @@ fn find_first_non_existent_component(target_path: &Path) -> Option<PathBuf> {
 mod tests {
    use super::*;
    use codex_protocol::protocol::SandboxPolicy;
+    use codex_utils_absolute_path::AbsolutePathBuf;
    use pretty_assertions::assert_eq;

    #[test]
@@ -373,4 +374,33 @@ mod tests {
            ]
        );
    }
+
+    #[test]
+    fn mounts_dev_before_writable_dev_binds() {
+        let sandbox_policy = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![AbsolutePathBuf::try_from(Path::new("/dev")).expect("/dev path")],
+            read_only_access: Default::default(),
+            network_access: false,
+            exclude_tmpdir_env_var: true,
+            exclude_slash_tmp: true,
+        };
+
+        let args = create_filesystem_args(&sandbox_policy, Path::new("/")).expect("bwrap fs args");
+        assert_eq!(
+            args,
+            vec![
+                "--ro-bind".to_string(),
+                "/".to_string(),
+                "/".to_string(),
+                "--dev".to_string(),
+                "/dev".to_string(),
+                "--bind".to_string(),
+                "/dev".to_string(),
+                "/dev".to_string(),
+                "--bind".to_string(),
+                "/".to_string(),
+                "/".to_string(),
+            ]
+        );
+    }
 }