mirror of https://github.com/openai/codex.git synced 2026-04-26 15:45:02 +00:00

Files

viyatb-oai ae4de43ccc feat(linux-sandbox): add bwrap support (#9938 )

## Summary
This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The
curent Linux sandbox path relies on in-process restrictions (including
Landlock). Bubblewrap gives us a more uniform filesystem isolation
model, especially explicit writable roots with the option to make some
directories read-only and granular network controls.

This is behind a feature flag so we can validate behavior safely before
making it the default.

- Added temporary rollout flag:
  - `features.use_linux_sandbox_bwrap`
- Preserved existing default path when the flag is off.
- In Bubblewrap mode:
- Added internal retry without /proc when /proc mount is not permitted
by the host/container.

2026-02-04 11:13:17 -08:00

src

feat(linux-sandbox): add bwrap support (#9938 )

2026-02-04 11:13:17 -08:00

BUILD.bazel

feat: add support for building with Bazel (#8875 )

2026-01-09 11:09:43 -08:00

Cargo.toml

feat: introduce ExternalSandbox policy (#8290 )

2025-12-18 17:02:03 -08:00

README.md

chore: introduce codex-common crate (#843 )

2025-05-06 17:38:56 -07:00

README.md

codex-common

This crate is designed for utilities that need to be shared across other crates in the workspace, but should not go in core.

For narrow utility features, the pattern is to add introduce a new feature under [features] in Cargo.toml and then gate it with #[cfg] in lib.rs, as appropriate.