feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)

## Summary Vendor Bubblewrap into the repo and add minimal build plumbing in `codex-linux-sandbox` to compile/link it. ## Why We want to move Linux sandboxing toward Bubblewrap, but in a safe two-step rollout: 1) vendoring/build setup (this PR), 2) runtime integration (follow-up PR). ## Included - Add `codex-rs/vendor/bubblewrap` sources. - Add build-time FFI path in `codex-rs/linux-sandbox`. - Update `build.rs` rerun tracking for vendored files. - Small vendored compile warning fix (`sockaddr_nl` full init). follow up in https://github.com/openai/codex/pull/9938
2026-04-26 23:55:25 +00:00 · 2026-02-02 23:33:46 -08:00
parent 53d8474061
commit f956cc2a02
57 changed files with 11261 additions and 6 deletions
--- a/codex-rs/vendor/bubblewrap/tests/use-as-subproject/.gitignore
+++ b/codex-rs/vendor/bubblewrap/tests/use-as-subproject/.gitignore
@@ -0,0 +1,2 @@
+/_build/
+/subprojects/
--- a/codex-rs/vendor/bubblewrap/tests/use-as-subproject/README
+++ b/codex-rs/vendor/bubblewrap/tests/use-as-subproject/README
@@ -0,0 +1,3 @@
+This is a simple example of a project that uses bubblewrap as a
+subproject. The intention is that if this project can successfully build
+bubblewrap as a subproject, then so could Flatpak.
--- a/codex-rs/vendor/bubblewrap/tests/use-as-subproject/assert-correct-rpath.py
+++ b/codex-rs/vendor/bubblewrap/tests/use-as-subproject/assert-correct-rpath.py
@@ -0,0 +1,26 @@
+#!/usr/bin/python3
+# Copyright 2022 Collabora Ltd.
+# SPDX-License-Identifier: LGPL-2.0-or-later
+
+import subprocess
+import sys
+
+if __name__ == '__main__':
+    completed = subprocess.run(
+        ['objdump', '-T', '-x', sys.argv[1]],
+        stdout=subprocess.PIPE,
+    )
+    stdout = completed.stdout
+    assert stdout is not None
+    seen_rpath = False
+
+    for line in stdout.splitlines():
+        words = line.strip().split()
+
+        if words and words[0] in (b'RPATH', b'RUNPATH'):
+            print(line.decode(errors='backslashreplace'))
+            assert len(words) == 2, words
+            assert words[1] == b'${ORIGIN}/../lib', words
+            seen_rpath = True
+
+    assert seen_rpath
--- a/codex-rs/vendor/bubblewrap/tests/use-as-subproject/config.h
+++ b/codex-rs/vendor/bubblewrap/tests/use-as-subproject/config.h
@@ -0,0 +1 @@
+#error Should not use superproject config.h to compile bubblewrap
--- a/codex-rs/vendor/bubblewrap/tests/use-as-subproject/dummy-config.h.in
+++ b/codex-rs/vendor/bubblewrap/tests/use-as-subproject/dummy-config.h.in
@@ -0,0 +1 @@
+#error Should not use superproject generated config.h to compile bubblewrap
--- a/codex-rs/vendor/bubblewrap/tests/use-as-subproject/meson.build
+++ b/codex-rs/vendor/bubblewrap/tests/use-as-subproject/meson.build
@@ -0,0 +1,20 @@
+project(
+  'use-bubblewrap-as-subproject',
+  'c',
+  version : '0',
+  meson_version : '>=0.49.0',
+)
+
+configure_file(
+  output : 'config.h',
+  input : 'dummy-config.h.in',
+  configuration : configuration_data(),
+)
+
+subproject(
+  'bubblewrap',
+  default_options : [
+    'install_rpath=${ORIGIN}/../lib',
+    'program_prefix=not-flatpak-',
+  ],
+)
				`@@ -0,0 +1 @@`
				`#error Should not use superproject config.h to compile bubblewrap`
				`@@ -0,0 +1 @@`
				`#error Should not use superproject generated config.h to compile bubblewrap`