mirror of
https://github.com/openai/codex.git
synced 2026-04-27 16:15:09 +00:00
e1447c3009
### Motivation - Landlock alone cannot prevent writes to sensitive in-repo files like `.git/` when the repo root is writable, so explicit mount restrictions are required for those paths. - The sandbox must set up any mounts before calling Landlock so Landlock can still be applied afterwards and the two mechanisms compose correctly. ### Description - Add a new `linux-sandbox` helper `apply_read_only_mounts` in `linux-sandbox/src/mounts.rs` that: unshares namespaces, maps uids/gids when required, makes mounts private, bind-mounts targets, and remounts them read-only. - Wire the mount step into the sandbox flow by calling `apply_read_only_mounts(...)` before network/seccomp and before applying Landlock rules in `linux-sandbox/src/landlock.rs`.
24 lines
992 B
Markdown
24 lines
992 B
Markdown
# codex-core
|
|
|
|
This crate implements the business logic for Codex. It is designed to be used by the various Codex UIs written in Rust.
|
|
|
|
## Dependencies
|
|
|
|
Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this support matrix is:
|
|
|
|
### macOS
|
|
|
|
Expects `/usr/bin/sandbox-exec` to be present.
|
|
|
|
When using the workspace-write sandbox policy, the Seatbelt profile allows
|
|
writes under the configured writable roots while keeping `.git` (directory or
|
|
pointer file), the resolved `gitdir:` target, and `.codex` read-only.
|
|
|
|
### Linux
|
|
|
|
Expects the binary containing `codex-core` to run the equivalent of `codex sandbox linux` (legacy alias: `codex debug landlock`) when `arg0` is `codex-linux-sandbox`. See the `codex-arg0` crate for details.
|
|
|
|
### All Platforms
|
|
|
|
Expects the binary containing `codex-core` to simulate the virtual `apply_patch` CLI when `arg1` is `--codex-run-as-apply-patch`. See the `codex-arg0` crate for details.
|