mirror of
https://github.com/openai/codex.git
synced 2026-05-14 08:12:36 +00:00
26f355b67b
**Summary** - Add `codex-bwrap`, a standalone `bwrap` binary built from the existing vendored bubblewrap sources. - Remove the linked vendored bwrap path from `codex-linux-sandbox`; runtime now prefers system `bwrap` and falls back to bundled `codex-resources/bwrap`. - Add bundled SHA-256 verification with missing/all-zero digest as the dev-mode skip value, then exec the verified file through `/proc/self/fd`. - Keep `launcher.rs` focused on choosing and dispatching the preferred launcher. Bundled lookup, digest verification, and bundled exec now live in `linux-sandbox/src/bundled_bwrap.rs`; Bazel runfiles lookup lives in `linux-sandbox/src/bazel_bwrap.rs`; shared argv/fd exec helpers live in `linux-sandbox/src/exec_util.rs`. - Teach Bazel tests to surface the Bazel-built `//codex-rs/bwrap:bwrap` through `CARGO_BIN_EXE_bwrap`; `codex-linux-sandbox` only honors that fallback in debug Bazel runfiles environments so release/user runtime lookup stays tied to `codex-resources/bwrap`. - Allow `codex-exec-server` filesystem helpers to preserve just the Bazel bwrap/runfiles variables they need in debug Bazel builds, since those helpers intentionally rebuild a small environment before spawning `codex-linux-sandbox`. - Verify the Bazel bwrap target in Linux release CI with a build-only check. Running `bwrap --version` is too strong for GitHub runners because bubblewrap still attempts namespace setup there. **Verification** - Latest update: `cargo test -p codex-linux-sandbox` - Latest update: `just fix -p codex-linux-sandbox` - `cargo check --target x86_64-unknown-linux-gnu -p codex-linux-sandbox` could not run locally because this macOS machine does not have `x86_64-linux-gnu-gcc`; GitHub Linux Bazel CI is expected to cover the Linux-only modules. - Earlier in this PR: `cargo test -p codex-bwrap` - Earlier in this PR: `cargo test -p codex-exec-server` - Earlier in this PR: `cargo check --release -p codex-exec-server` - Earlier in this PR: `just fix -p codex-linux-sandbox -p codex-exec-server` - Earlier in this PR: `bazel test --nobuild //codex-rs/linux-sandbox:linux-sandbox-all-test //codex-rs/core:core-all-test //codex-rs/exec-server:exec-server-file_system-test //codex-rs/app-server:app-server-all-test` (analysis completed; Bazel then refuses to run tests under `--nobuild`) - Earlier in this PR: `bazel build --nobuild //codex-rs/bwrap:bwrap` - Prior to this update: `just bazel-lock-update`, `just bazel-lock-check`, and YAML parse check for `.github/workflows/bazel.yml` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/21255). * #21257 * #21256 * __->__ #21255
85 lines
4.2 KiB
Markdown
85 lines
4.2 KiB
Markdown
# codex-core
|
|
|
|
This crate implements the business logic for Codex. It is designed to be used by the various Codex UIs written in Rust.
|
|
|
|
## Dependencies
|
|
|
|
Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this support matrix is:
|
|
|
|
### macOS
|
|
|
|
Expects `/usr/bin/sandbox-exec` to be present.
|
|
|
|
When using the workspace-write sandbox policy, the Seatbelt profile allows
|
|
writes under the configured writable roots while keeping `.git` (directory or
|
|
pointer file), the resolved `gitdir:` target, and `.codex` read-only.
|
|
|
|
Network access and filesystem read/write roots are controlled by
|
|
`SandboxPolicy`. Seatbelt consumes the resolved policy and enforces it.
|
|
|
|
Seatbelt also keeps the legacy default preferences read access
|
|
(`user-preference-read`) needed for cfprefs-backed macOS behavior.
|
|
|
|
### Linux
|
|
|
|
Expects the binary containing `codex-core` to run the equivalent of `codex sandbox linux` (legacy alias: `codex debug landlock`) when `arg0` is `codex-linux-sandbox`. See the `codex-arg0` crate for details.
|
|
|
|
Legacy `SandboxPolicy` / `sandbox_mode` configs are still supported on Linux.
|
|
They can continue to use the legacy Landlock path when the split filesystem
|
|
policy is sandbox-equivalent to the legacy model after `cwd` resolution.
|
|
Split filesystem policies that need direct `FileSystemSandboxPolicy`
|
|
enforcement, such as read-only or denied carveouts under a broader writable
|
|
root, automatically route through bubblewrap. The legacy Landlock path is used
|
|
only when the split filesystem policy round-trips through the legacy
|
|
`SandboxPolicy` model without changing semantics. That includes overlapping
|
|
cases like `/repo = write`, `/repo/a = none`, `/repo/a/b = write`, where the
|
|
more specific writable child must reopen under a denied parent.
|
|
|
|
The Linux sandbox helper prefers the first `bwrap` found on `PATH` outside the
|
|
current working directory whenever it is available. If `bwrap` is present but
|
|
too old to support `--argv0`, the helper keeps using system bubblewrap and
|
|
switches to a no-`--argv0` compatibility path for the inner re-exec. If
|
|
`bwrap` is missing, it falls back to the bundled `codex-resources/bwrap`
|
|
binary shipped with Codex and Codex surfaces a startup warning through its
|
|
normal notification path instead of printing directly from the sandbox helper.
|
|
Codex also surfaces a startup warning when bubblewrap cannot create user
|
|
namespaces. WSL2 uses the normal Linux bubblewrap path. WSL1 is not supported
|
|
for bubblewrap sandboxing because it cannot create the required user
|
|
namespaces, so Codex rejects sandboxed shell commands that would enter the
|
|
bubblewrap path before invoking `bwrap`.
|
|
|
|
### Windows
|
|
|
|
Legacy `SandboxPolicy` / `sandbox_mode` configs are still supported on
|
|
Windows. Legacy `read-only` and `workspace-write` policies imply full
|
|
filesystem read access; exact readable roots are represented by split
|
|
filesystem policies instead.
|
|
|
|
The elevated Windows sandbox also supports:
|
|
|
|
- legacy `ReadOnly` and `WorkspaceWrite` behavior
|
|
- split filesystem policies that need exact readable roots, exact writable
|
|
roots, or extra read-only carveouts under writable roots
|
|
- backend-managed system read roots required for basic execution, such as
|
|
`C:\Windows`, `C:\Program Files`, `C:\Program Files (x86)`, and
|
|
`C:\ProgramData`, when a split filesystem policy requests platform defaults
|
|
|
|
The unelevated restricted-token backend still supports the legacy full-read
|
|
Windows model for legacy `ReadOnly` and `WorkspaceWrite` behavior. It also
|
|
supports a narrow split-filesystem subset: full-read split policies whose
|
|
writable roots still match the legacy `WorkspaceWrite` root set, but add extra
|
|
read-only carveouts under those writable roots.
|
|
|
|
New `[permissions]` / split filesystem policies remain supported on Windows
|
|
only when they can be enforced directly by the selected Windows backend or
|
|
round-trip through the legacy `SandboxPolicy` model without changing semantics.
|
|
Policies that would require direct explicit unreadable carveouts (`none`) or
|
|
reopened writable descendants under read-only carveouts still fail closed
|
|
instead of running with weaker enforcement.
|
|
|
|
### All Platforms
|
|
|
|
Expects the binary containing `codex-core` to simulate the virtual
|
|
`apply_patch` CLI when `arg1` is `--codex-run-as-apply-patch`. See the
|
|
`codex-arg0` crate for details.
|