mirror of
https://github.com/openai/codex.git
synced 2026-04-25 15:15:15 +00:00
ae4de43ccc894e389868b60e190306301a37806b
13 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
viyatb-oai
|
ae4de43ccc |
feat(linux-sandbox): add bwrap support (#9938)
## Summary This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The curent Linux sandbox path relies on in-process restrictions (including Landlock). Bubblewrap gives us a more uniform filesystem isolation model, especially explicit writable roots with the option to make some directories read-only and granular network controls. This is behind a feature flag so we can validate behavior safely before making it the default. - Added temporary rollout flag: - `features.use_linux_sandbox_bwrap` - Preserved existing default path when the flag is off. - In Bubblewrap mode: - Added internal retry without /proc when /proc mount is not permitted by the host/container. |
||
|
viyatb-oai
|
f956cc2a02 |
feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)
## Summary Vendor Bubblewrap into the repo and add minimal build plumbing in `codex-linux-sandbox` to compile/link it. ## Why We want to move Linux sandboxing toward Bubblewrap, but in a safe two-step rollout: 1) vendoring/build setup (this PR), 2) runtime integration (follow-up PR). ## Included - Add `codex-rs/vendor/bubblewrap` sources. - Add build-time FFI path in `codex-rs/linux-sandbox`. - Update `build.rs` rerun tracking for vendored files. - Small vendored compile warning fix (`sockaddr_nl` full init). follow up in https://github.com/openai/codex/pull/9938 |
||
|
viyatb-oai
|
2259031d64 |
fix: fallback to Landlock-only when user namespaces unavailable and set PR_SET_NO_NEW_PRIVS early (#9250)
fixes https://github.com/openai/codex/issues/9236 ### Motivation - Prevent sandbox setup from failing when unprivileged user namespaces are denied so Landlock-only protections can still be applied. - Ensure `PR_SET_NO_NEW_PRIVS` is set before installing seccomp and Landlock restrictions to avoid kernel `EPERM`/`LandlockRestrict` ordering issues. ### Description - Add `is_permission_denied` helper that detects `EPERM` / `PermissionDenied` from `CodexErr` to drive fallback logic. - In `apply_read_only_mounts` skip read-only bind-mount setup and return `Ok(())` when `unshare_user_and_mount_namespaces()` fails with permission-denied so Landlock rules can still be installed. - Add `set_no_new_privs()` and call it from `apply_sandbox_policy_to_current_thread` before installing seccomp filters and Landlock rules when disk or network access is restricted. |
||
|
Michael Bolin
|
642b7566df |
fix: introduce AbsolutePathBuf as part of sandbox config (#7856)
Changes the `writable_roots` field of the `WorkspaceWrite` variant of the `SandboxPolicy` enum from `Vec<PathBuf>` to `Vec<AbsolutePathBuf>`. This is helpful because now callers can be sure the value is an absolute path rather than a relative one. (Though when using an absolute path in a Seatbelt config policy, we still have to _canonicalize_ it first.) Because `writable_roots` can be read from a config file, it is important that we are able to resolve relative paths properly using the parent folder of the config file as the base path. |
||
|
Josh McKinney
|
ec49b56874 |
chore: add cargo-deny configuration (#7119)
- add GitHub workflow running cargo-deny on push/PR - document cargo-deny allowlist with workspace-dep notes and advisory ignores - align workspace crates to inherit version/edition/license for consistent checks |
||
|
jif-oai
|
e5fe50d3ce |
chore: unify cargo versions (#4044)
Unify cargo versions at root |
||
|
jif-oai
|
a9c68ea270 |
feat: Run cargo shear during CI (#3338)
Run cargo shear as part of the CI to ensure no unused dependencies |
||
|
dependabot[bot]
|
52f0b95102 |
chore(deps): bump libc from 0.2.174 to 0.2.175 in /codex-rs (#2406)
Bumps [libc](https://github.com/rust-lang/libc) from 0.2.174 to 0.2.175. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/releases">libc's releases</a>.</em></p> <blockquote> <h2>0.2.175</h2> <h3>Added</h3> <ul> <li>AIX: Add <code>getpeereid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4524">#4524</a>)</li> <li>AIX: Add <code>struct ld_info</code> and friends (<a href="https://redirect.github.com/rust-lang/libc/pull/4578">#4578</a>)</li> <li>AIX: Retore <code>struct winsize</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4577">#4577</a>)</li> <li>Android: Add UDP socket option constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4619">#4619</a>)</li> <li>Android: Add <code>CLONE_CLEAR_SIGHAND</code> and <code>CLONE_INTO_CGROUP</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4502">#4502</a>)</li> <li>Android: Add more <code>prctl</code> constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4531">#4531</a>)</li> <li>FreeBSD Add further TCP stack-related constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4196">#4196</a>)</li> <li>FreeBSD x86-64: Add <code>mcontext_t.mc_tlsbase </code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4503">#4503</a>)</li> <li>FreeBSD15: Add <code>kinfo_proc.ki_uerrmsg</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>FreeBSD: Add <code>in_conninfo</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xinpgen</code> and related types (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xktls_session</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>Haiku: Add functionality from <code>libbsd</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4221">#4221</a>)</li> <li>Linux: Add <code>SECBIT_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4480">#4480</a>)</li> <li>NetBSD, OpenBSD: Export <code>ioctl</code> request generator macros (<a href="https://redirect.github.com/rust-lang/libc/pull/4460">#4460</a>)</li> <li>NetBSD: Add <code>ptsname_r</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4608">#4608</a>)</li> <li>RISCV32: Add time-related syscalls (<a href="https://redirect.github.com/rust-lang/libc/pull/4612">#4612</a>)</li> <li>Solarish: Add <code>strftime*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4453">#4453</a>)</li> <li>linux: Add <code>EXEC_RESTRICT_*</code> and <code>EXEC_DENY_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4545">#4545</a>)</li> </ul> <h3>Changed</h3> <ul> <li>AIX: Add <code>const</code> to signatures to be consistent with other platforms (<a href="https://redirect.github.com/rust-lang/libc/pull/4563">#4563</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>AIX: Fix the type of <code>struct statvfs.f_fsid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4576">#4576</a>)</li> <li>AIX: Fix the type of constants for the <code>ioctl</code> <code>request</code> argument (<a href="https://redirect.github.com/rust-lang/libc/pull/4582">#4582</a>)</li> <li>AIX: Fix the types of <code>stat{,64}.st_*tim</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4597">#4597</a>)</li> <li>AIX: Use unique <code>errno</code> values (<a href="https://redirect.github.com/rust-lang/libc/pull/4507">#4507</a>)</li> <li>Build: Fix an incorrect <code>target_os</code> -> <code>target_arch</code> check (<a href="https://redirect.github.com/rust-lang/libc/pull/4550">#4550</a>)</li> <li>FreeBSD: Fix the type of <code>xktls_session_onedir.ifnet</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>Mips64 musl: Fix the type of <code>nlink_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4509">#4509</a>)</li> <li>Mips64 musl: Use a special MIPS definition of <code>stack_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4528">#4528</a>)</li> <li>Mips64: Fix <code>SI_TIMER</code>, <code>SI_MESGQ</code> and <code>SI_ASYNCIO</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4529">#4529</a>)</li> <li>Musl Mips64: Swap the order of <code>si_errno</code> and <code>si_code</code> in <code>siginfo_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4530">#4530</a>)</li> <li>Musl Mips64: Use a special MIPS definition of <code>statfs</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4527">#4527</a>)</li> <li>Musl: Fix the definition of <code>fanotify_event_metadata</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4510">#4510</a>)</li> <li>NetBSD: Correct <code>enum fae_action</code> to be <code>#[repr(C)]</code> (<a href=" |
||
|
pakrym-oai
|
51b6bdefbe |
Auto format toml (#1745)
Add recommended extension and configure it to auto format prompt. |
||
|
Michael Bolin
|
9102255854 | fix: move arg0 handling out of codex-linux-sandbox and into its own crate (#1697) | ||
|
Michael Bolin
|
d6c4083f98 |
feat: support dotenv (including ~/.codex/.env) (#1653)
This PR adds a `load_dotenv()` helper function to the `codex-common` crate that is available when the `cli` feature is enabled. The function uses [`dotenvy`](https://crates.io/crates/dotenvy) to update the environment from: - `$CODEX_HOME/.env` - `$(pwd)/.env` To test: - ran `printenv OPENAI_API_KEY` to verify the env var exists in my environment - ran `just codex exec hello` to verify the CLI uses my `OPENAI_API_KEY` - ran `unset OPENAI_API_KEY` - ran `just codex exec hello` again and got **ERROR: Missing environment variable: `OPENAI_API_KEY`**, as expected - created `~/.codex/.env` and added `OPENAI_API_KEY=sk-proj-...` (also ran `chmod 400 ~/.codex/.env` for good measure) - ran `just codex exec hello` again and it worked, verifying it picked up `OPENAI_API_KEY` from `~/.codex/.env` Note this functionality was available in the TypeScript CLI: https://github.com/openai/codex/pull/122 and was recently requested over on https://github.com/openai/codex/issues/1262#issuecomment-3093203551. |
||
|
Michael Bolin
|
0776d78357 |
feat: redesign sandbox config (#1373)
This is a major redesign of how sandbox configuration works and aims to fix https://github.com/openai/codex/issues/1248. Specifically, it replaces `sandbox_permissions` in `config.toml` (and the `-s`/`--sandbox-permission` CLI flags) with a "table" with effectively three variants: ```toml # Safest option: full disk is read-only, but writes and network access are disallowed. [sandbox] mode = "read-only" # The cwd of the Codex task is writable, as well as $TMPDIR on macOS. # writable_roots can be used to specify additional writable folders. [sandbox] mode = "workspace-write" writable_roots = [] # Optional, defaults to the empty list. network_access = false # Optional, defaults to false. # Disable sandboxing: use at your own risk!!! [sandbox] mode = "danger-full-access" ``` This should make sandboxing easier to reason about. While we have dropped support for `-s`, the way it works now is: - no flags => `read-only` - `--full-auto` => `workspace-write` - currently, there is no way to specify `danger-full-access` via a CLI flag, but we will revisit that as part of https://github.com/openai/codex/issues/1254 Outstanding issue: - As noted in the `TODO` on `SandboxPolicy::is_unrestricted()`, we are still conflating sandbox preferences with approval preferences in that case, which needs to be cleaned up. |
||
|
Michael Bolin
|
89ef4efdcf |
fix: overhaul how we spawn commands under seccomp/landlock on Linux (#1086)
Historically, we spawned the Seatbelt and Landlock sandboxes in substantially different ways: For **Seatbelt**, we would run `/usr/bin/sandbox-exec` with our policy specified as an arg followed by the original command: |