fix: fall back when sandbox arg0 helper disappears

2026-04-24 14:45:27 +00:00 · 2026-04-07 10:31:15 -07:00
2 changed files with 53 additions and 4 deletions
--- a/codex-rs/sandboxing/src/manager.rs
+++ b/codex-rs/sandboxing/src/manager.rs
@@ -218,6 +218,7 @@ impl SandboxManager {
            SandboxType::LinuxSeccomp => {
                let exe = codex_linux_sandbox_exe
                    .ok_or(SandboxTransformError::MissingLinuxSandboxExecutable)?;
+                let exe = usable_linux_sandbox_exe(exe);
                let allow_proxy_network = allow_network_for_proxy(enforce_managed_network);
                let mut args = create_linux_sandbox_command_args_for_policies(
                    os_argv_to_strings(argv),
@@ -232,10 +233,7 @@ impl SandboxManager {
                let mut full_command = Vec::with_capacity(1 + args.len());
                full_command.push(os_string_to_command_component(exe.as_os_str().to_owned()));
                full_command.append(&mut args);
-                (
-                    full_command,
-                    Some(linux_sandbox_arg0_override(exe.as_path())),
-                )
+                (full_command, Some(linux_sandbox_arg0_override(&exe)))
            }
            #[cfg(target_os = "windows")]
            SandboxType::WindowsRestrictedToken => (os_argv_to_strings(argv), None),
@@ -279,6 +277,29 @@ fn linux_sandbox_arg0_override(exe: &Path) -> String {
    }
 }

+fn usable_linux_sandbox_exe(exe: &Path) -> PathBuf {
+    if exe.exists()
+        || exe.file_name().and_then(|name| name.to_str()) != Some(CODEX_LINUX_SANDBOX_ARG0)
+    {
+        return exe.to_path_buf();
+    }
+
+    match std::env::current_exe() {
+        Ok(current_exe) => {
+            tracing::warn!(
+                "codex-linux-sandbox helper alias disappeared; falling back to current executable: {exe:?}"
+            );
+            current_exe
+        }
+        Err(err) => {
+            tracing::warn!(
+                "codex-linux-sandbox helper alias disappeared and current executable could not be resolved: {err}"
+            );
+            exe.to_path_buf()
+        }
+    }
+}
+
 #[cfg(test)]
 #[path = "manager_tests.rs"]
 mod tests;
--- a/codex-rs/sandboxing/src/manager_tests.rs
+++ b/codex-rs/sandboxing/src/manager_tests.rs
@@ -293,3 +293,31 @@ fn transform_linux_seccomp_uses_helper_alias_when_launcher_is_not_helper_path()

    assert_eq!(exec_request.arg0, Some("codex-linux-sandbox".to_string()));
 }
+
+#[test]
+fn usable_linux_sandbox_exe_falls_back_when_helper_alias_disappears() -> std::io::Result<()> {
+    let temp_dir = tempfile::tempdir()?;
+    let missing_helper = temp_dir.path().join("codex-linux-sandbox");
+
+    assert_eq!(
+        super::usable_linux_sandbox_exe(&missing_helper),
+        std::env::current_exe()?
+    );
+    Ok(())
+}
+
+#[cfg(target_os = "linux")]
+#[test]
+fn transform_linux_seccomp_falls_back_when_helper_alias_disappears() -> std::io::Result<()> {
+    let temp_dir = tempfile::tempdir()?;
+    let missing_helper = temp_dir.path().join("codex-linux-sandbox");
+    let exec_request = transform_linux_seccomp_request(&missing_helper);
+    let current_exe = std::env::current_exe()?;
+
+    assert_eq!(
+        exec_request.command.first(),
+        Some(&current_exe.to_string_lossy().into_owned())
+    );
+    assert_eq!(exec_request.arg0, Some("codex-linux-sandbox".to_string()));
+    Ok(())
+}