mirror of
https://github.com/openai/codex.git
synced 2026-04-29 00:55:38 +00:00
86764af684
## Problem Codex already treated an existing top-level project `./.codex` directory as protected, but there was a gap on first creation. If `./.codex` did not exist yet, a turn could create files under it, such as `./.codex/config.toml`, without going through the same approval path as later modifications. That meant the initial write could bypass the intended protection for project-local Codex state. ## What this changes This PR closes that first-creation gap in the Unix enforcement layers: - `codex-protocol` - treat the top-level project `./.codex` path as a protected carveout even when it does not exist yet - avoid injecting the default carveout when the user already has an explicit rule for that exact path - macOS Seatbelt - deny writes to both the exact protected path and anything beneath it, so creating `./.codex` itself is blocked in addition to writes inside it - Linux bubblewrap - preserve the same protected-path behavior for first-time creation under `./.codex` - tests - add protocol regressions for missing `./.codex` and explicit-rule collisions - add Unix sandbox coverage for blocking first-time `./.codex` creation - tighten Seatbelt policy assertions around excluded subpaths ## Scope This change is intentionally scoped to protecting the top-level project `.codex` subtree from agent writes. It does not make `.codex` unreadable, and it does not change the product behavior around loading project skills from `.codex` when project config is untrusted. ## Why this shape The fix is pointed rather than broad: - it preserves the current model of “project `.codex` is protected from writes” - it closes the security-relevant first-write hole - it avoids folding a larger permissions-model redesign into this PR ## Validation - `cargo test -p codex-protocol` - `cargo test -p codex-sandboxing seatbelt` - `cargo test -p codex-exec --test all sandbox_blocks_first_time_dot_codex_creation -- --nocapture` --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
codex-linux-sandbox
This crate is responsible for producing:
- a
codex-linux-sandboxstandalone executable for Linux that is bundled with the Node.js version of the Codex CLI - a lib crate that exposes the business logic of the executable as
run_main()so that- the
codex-execCLI can check if its arg0 iscodex-linux-sandboxand, if so, execute as if it werecodex-linux-sandbox - this should also be true of the
codexmultitool CLI
- the
On Linux, the bubblewrap pipeline prefers the first bwrap found on PATH
outside the current working directory whenever it is available. If bwrap is
present but too old to support
--argv0, the helper keeps using system bubblewrap and switches to a
no---argv0 compatibility path for the inner re-exec. If bwrap is missing,
the helper falls back to the vendored bubblewrap path compiled into this
binary.
Codex also surfaces a startup warning when bwrap is missing so users know it
is falling back to the vendored helper.
Current Behavior
- Legacy
SandboxPolicy/sandbox_modeconfigs remain supported. - Bubblewrap is the default filesystem sandbox pipeline.
- If
bwrapis present onPATHoutside the current working directory, the helper uses it. - If
bwrapis present but too old to support--argv0, the helper uses a no---argv0compatibility path for the inner re-exec. - If
bwrapis missing, the helper falls back to the vendored bubblewrap path. - If
bwrapis missing, Codex also surfaces a startup warning instead of printing directly from the sandbox helper. - Legacy Landlock + mount protections remain available as an explicit legacy fallback path.
- Set
features.use_legacy_landlock = true(or CLI-c use_legacy_landlock=true) to force the legacy Landlock fallback. - The legacy Landlock fallback is used only when the split filesystem policy is
sandbox-equivalent to the legacy model after
cwdresolution. - Split-only filesystem policies that do not round-trip through the legacy
SandboxPolicymodel stay on bubblewrap so nested read-only or denied carveouts are preserved. - When the default bubblewrap pipeline is active, the helper applies
PR_SET_NO_NEW_PRIVSand a seccomp network filter in-process. - When the default bubblewrap pipeline is active, the filesystem is read-only by default via
--ro-bind / /. - When the default bubblewrap pipeline is active, writable roots are layered with
--bind <root> <root>. - When the default bubblewrap pipeline is active, protected subpaths under writable roots (for
example
.git, resolvedgitdir:, and.codex) are re-applied as read-only via--ro-bind. - When the default bubblewrap pipeline is active, overlapping split-policy
entries are applied in path-specificity order so narrower writable children
can reopen broader read-only or denied parents while narrower denied subpaths
still win. For example,
/repo = write,/repo/a = none,/repo/a/b = writekeeps/repowritable, denies/repo/a, and reopens/repo/a/bas writable again. - When the default bubblewrap pipeline is active, symlink-in-path and non-existent protected paths inside
writable roots are blocked by mounting
/dev/nullon the symlink or first missing component. - When the default bubblewrap pipeline is active, the helper explicitly isolates the user namespace via
--unshare-userand the PID namespace via--unshare-pid. - When the default bubblewrap pipeline is active and network is restricted without proxy routing, the helper also
isolates the network namespace via
--unshare-net. - In managed proxy mode, the helper uses
--unshare-netplus an internal TCP->UDS->TCP routing bridge so tool traffic reaches only configured proxy endpoints. - In managed proxy mode, after the bridge is live, seccomp blocks new AF_UNIX/socketpair creation for the user command.
- When the default bubblewrap pipeline is active, it mounts a fresh
/procvia--proc /procby default, but you can skip this in restrictive container environments with--no-proc.
Notes
- The CLI surface still uses legacy names like
codex debug landlock.