mirror of https://github.com/openai/codex.git synced 2026-02-01 22:47:52 +00:00

Files

viyatb-oai 2259031d64 fix: fallback to Landlock-only when user namespaces unavailable and set PR_SET_NO_NEW_PRIVS early (#9250 )

fixes https://github.com/openai/codex/issues/9236

### Motivation
- Prevent sandbox setup from failing when unprivileged user namespaces
are denied so Landlock-only protections can still be applied.
- Ensure `PR_SET_NO_NEW_PRIVS` is set before installing seccomp and
Landlock restrictions to avoid kernel `EPERM`/`LandlockRestrict`
ordering issues.

### Description
- Add `is_permission_denied` helper that detects `EPERM` /
`PermissionDenied` from `CodexErr` to drive fallback logic.
- In `apply_read_only_mounts` skip read-only bind-mount setup and return
`Ok(())` when `unshare_user_and_mount_namespaces()` fails with
permission-denied so Landlock rules can still be installed.
- Add `set_no_new_privs()` and call it from
`apply_sandbox_policy_to_current_thread` before installing seccomp
filters and Landlock rules when disk or network access is restricted.

2026-01-14 22:24:34 -08:00

src

fix: fallback to Landlock-only when user namespaces unavailable and set PR_SET_NO_NEW_PRIVS early (#9250 )

2026-01-14 22:24:34 -08:00

tests

fix: fallback to Landlock-only when user namespaces unavailable and set PR_SET_NO_NEW_PRIVS early (#9250 )

2026-01-14 22:24:34 -08:00

BUILD.bazel

feat: add support for building with Bazel (#8875 )

2026-01-09 11:09:43 -08:00

Cargo.toml

fix: fallback to Landlock-only when user namespaces unavailable and set PR_SET_NO_NEW_PRIVS early (#9250 )

2026-01-14 22:24:34 -08:00

README.md

feat: add support for read-only bind mounts in the linux sandbox (#9112 )

2026-01-14 08:30:46 -08:00

README.md

codex-linux-sandbox

This crate is responsible for producing:

a codex-linux-sandbox standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
a lib crate that exposes the business logic of the executable as run_main() so that
- the codex-exec CLI can check if its arg0 is codex-linux-sandbox and, if so, execute as if it were codex-linux-sandbox
- this should also be true of the codex multitool CLI

Git safety mounts (Linux)

When the sandbox policy allows workspace writes, the Linux sandbox uses a user namespace plus a mount namespace to bind-mount sensitive subpaths read-only before applying Landlock rules. This keeps Git and Codex metadata immutable while still allowing writes to other workspace files, including worktree setups where .git is a pointer file.

Protected subpaths under each writable root include:

.git (directory or pointer file)
the resolved gitdir: target when .git is a pointer file
.codex when present

How this plays with Landlock

Mount permissions and Landlock intersect: if a bind mount is read-only, writes are denied even if Landlock would allow them. For that reason, the sandbox sets up the read-only mounts before calling landlock_restrict_self() and then applies Landlock rules on top.

Quick manual test

Run the sandbox directly with a workspace-write policy (from a Git repository root):

codex-linux-sandbox \
  --sandbox-policy-cwd "$PWD" \
  --sandbox-policy '{"type":"workspace-write"}' \
  -- bash -lc '
set -euo pipefail

echo "should fail" > .git/config && exit 1 || true
echo "should fail" > .git/hooks/pre-commit && exit 1 || true
echo "should fail" > .git/index.lock && exit 1 || true
echo "should fail" > .codex/config.toml && exit 1 || true
echo "ok" > sandbox-write-test.txt
'

Expected behavior:

Writes to .git/config fail with Read-only file system.
Creating or modifying files under .git/hooks/ fails.
Writing .git/index.lock fails (since .git is read-only).
Writes under .codex/ fail when the directory exists.
Writing a normal repo file succeeds.