Skip to content

fix: preserve split filesystem semantics in linux sandbox #14173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
viyatb-oai merged 6 commits into from
Mar 12, 2026
Merged

fix: preserve split filesystem semantics in linux sandbox #14173

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a823efc
fix: preserve split filesystem semantics in linux sandbox
viyatb-oai Mar 10, 2026
b3a0fd3
fix: preserve nested linux split carveouts
viyatb-oai Mar 12, 2026
781ba3c
fix: preserve split-only linux sandbox fallbacks
viyatb-oai Mar 12, 2026
8065d04
fix: preserve linux sandbox policy equivalence
viyatb-oai Mar 12, 2026
c44dd4b
Merge remote-tracking branch 'origin/main' into codex/viyatb/permissi…
viyatb-oai Mar 12, 2026
22e6051
Merge remote-tracking branch 'origin/main' into codex/viyatb/permissi…
viyatb-oai Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions codex-rs/linux-sandbox/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,25 @@ On Linux, the bubblewrap pipeline uses the vendored bubblewrap path compiled
into this binary.

**Current Behavior**
- Legacy Landlock + mount protections remain available as the legacy pipeline.
- The default Linux sandbox pipeline is bubblewrap on the vendored path.
- Bubblewrap is the default filesystem sandbox pipeline and is standardized on
the vendored path.
- Legacy Landlock + mount protections remain available as an explicit legacy
fallback path.
- Set `features.use_legacy_landlock = true` (or CLI `-c use_legacy_landlock=true`)
to force the legacy Landlock fallback.
- When the default bubblewrap pipeline is active, it applies `PR_SET_NO_NEW_PRIVS` and a
- Split-only filesystem policies that do not round-trip through the legacy
`SandboxPolicy` model stay on bubblewrap so nested read-only or denied
carveouts are preserved.
- When the default bubblewrap pipeline is active, the helper applies `PR_SET_NO_NEW_PRIVS` and a
seccomp network filter in-process.
- When the default bubblewrap pipeline is active, the filesystem is read-only by default via `--ro-bind / /`.
- When the default bubblewrap pipeline is active, writable roots are layered with `--bind <root> <root>`.
- When the default bubblewrap pipeline is active, protected subpaths under writable roots (for example `.git`,
- When the default bubblewrap pipeline is active, protected subpaths under writable roots (for
example `.git`,
resolved `gitdir:`, and `.codex`) are re-applied as read-only via `--ro-bind`.
- When the default bubblewrap pipeline is active, overlapping split-policy entries are applied in
path-specificity order so narrower writable children can reopen broader
read-only parents while narrower denied subpaths still win.
- When the default bubblewrap pipeline is active, symlink-in-path and non-existent protected paths inside
writable roots are blocked by mounting `/dev/null` on the symlink or first
missing component.
Expand Down
Loading
Loading