feat(linux-sandbox): add bwrap support by viyatb-oai · Pull Request #9938 · openai/codex

viyatb-oai · 2026-01-26T21:51:30Z

Summary

This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The curent Linux sandbox path relies on in-process restrictions (including Landlock). Bubblewrap gives us a more uniform filesystem isolation model, especially explicit writable roots with the option to make some directories read-only and granular network controls.

This is behind a feature flag so we can validate behavior safely before making it the default.

Added temporary rollout flag:
- features.use_linux_sandbox_bwrap
Preserved existing default path when the flag is off.
In Bubblewrap mode:
- Added internal retry without /proc when /proc mount is not permitted by the host/container.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5aa61a15ff

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

codex-rs/linux-sandbox/src/linux_run_main.rs

## Summary Vendor Bubblewrap into the repo and add minimal build plumbing in `codex-linux-sandbox` to compile/link it. ## Why We want to move Linux sandboxing toward Bubblewrap, but in a safe two-step rollout: 1) vendoring/build setup (this PR), 2) runtime integration (follow-up PR). ## Included - Add `codex-rs/vendor/bubblewrap` sources. - Add build-time FFI path in `codex-rs/linux-sandbox`. - Update `build.rs` rerun tracking for vendored files. - Small vendored compile warning fix (`sockaddr_nl` full init). follow up in #9938

codex-rs/core/src/landlock.rs

.github/workflows/bazel.yml

bolinfest · 2026-02-03T18:24:31Z

codex-rs/linux-sandbox/src/vendored_bwrap.rs

+
+    /// Execute the build-time bubblewrap `main` function with the given argv.
+    pub(crate) fn exec_vendored_bwrap(argv: Vec<String>) -> ! {
+        let exit_code = run_vendored_bwrap_main(&argv);


Hmm, so this appears to be the end of main():

https://github.com/containers/bubblewrap/blob/535238486c5d41be5ee49c6a85842b6f29ba93b5/bubblewrap.c#L3626-L3640

where:

if (execvp (exec_path, argv) == -1)

leads to:

die_with_error ("execvp %s", exec_path);

but if execvp() does not return -1, then bwrap's main returns 0, even though that suggests something has gone horribly wrong?

.github/workflows/rust-ci.yml

bolinfest

OK, a handful of questions/clarifications!

codex-rs/linux-sandbox/src/linux_run_main.rs

codex-rs/linux-sandbox/tests/suite/landlock.rs

codex-rs/linux-sandbox/src/linux_run_main.rs

codex-rs/linux-sandbox/scripts/test_linux_sandbox.sh

viyatb-oai requested a review from bolinfest January 27, 2026 23:40

viyatb-oai changed the title ~~linux sandbox improvements~~ feat(linux-sandbox): swap landlock for bwrap for sandboxing Feb 2, 2026

viyatb-oai force-pushed the viyat/bwrap branch from 3903ff5 to 5aa61a1 Compare February 2, 2026 21:07

viyatb-oai mentioned this pull request Feb 2, 2026

feat(linux-sandbox): vendor bubblewrap and wire it with FFI #10413

Merged

viyatb-oai changed the base branch from main to codex/viyatb/bwrap-vendoring February 2, 2026 21:24

viyatb-oai marked this pull request as ready for review February 2, 2026 21:24

chatgpt-codex-connector bot reviewed Feb 2, 2026

View reviewed changes

codex-rs/linux-sandbox/src/linux_run_main.rs Show resolved Hide resolved

viyatb-oai force-pushed the viyat/bwrap branch from 5aa61a1 to 2e968d3 Compare February 2, 2026 21:49

viyatb-oai changed the title ~~feat(linux-sandbox): swap landlock for bwrap for sandboxing~~ feat(linux-sandbox): add bwrap support Feb 2, 2026

viyatb-oai force-pushed the viyat/bwrap branch 2 times, most recently from 4d27a26 to 0198203 Compare February 3, 2026 04:22

viyatb-oai force-pushed the codex/viyatb/bwrap-vendoring branch from 3a4a6ed to 077419b Compare February 3, 2026 04:27

viyatb-oai force-pushed the viyat/bwrap branch 2 times, most recently from a7b4ed5 to 669ccb9 Compare February 3, 2026 07:16

Base automatically changed from codex/viyatb/bwrap-vendoring to main February 3, 2026 07:33

viyatb-oai added 4 commits February 2, 2026 23:36

feat(linux-sandbox): integrate vendored bwrap behind rollout flag

1332fd5

fix(linux-sandbox): satisfy clippy module order and shear deps

b536599

fix(linux-sandbox): run landlock suite via bwrap path

273c305

fix(linux-sandbox): split legacy vs bwrap test paths

1ae8d7f

viyatb-oai force-pushed the viyat/bwrap branch from 669ccb9 to 1ae8d7f Compare February 3, 2026 07:37

ci(linux-sandbox): enable bwrap ffi in linux CI/release

a121b25

viyatb-oai commented Feb 3, 2026

View reviewed changes

codex-rs/core/src/landlock.rs Show resolved Hide resolved

refactor(linux-sandbox): standardize bwrap rollout flags

6b9e24e

bolinfest reviewed Feb 3, 2026

View reviewed changes

.github/workflows/bazel.yml Outdated Show resolved Hide resolved

bolinfest reviewed Feb 3, 2026

View reviewed changes

ci(bazel): remove local bwrap deps install from remote bazel workflow

4689e77

zbarsky-openai reviewed Feb 3, 2026

View reviewed changes

.github/workflows/rust-ci.yml Outdated Show resolved Hide resolved

viyatb-oai added 2 commits February 3, 2026 14:08

ci(rust-ci): keep bwrap ffi out of cargo workflow

f010435

Merge branch 'main' into viyat/bwrap

352212c

bolinfest reviewed Feb 3, 2026

View reviewed changes

viyatb-oai added 4 commits February 3, 2026 16:59

fix(linux-sandbox): bound preflight bwrap stderr capture

17c46b3

fix(linux-sandbox): check close rc in bwrap preflight

b5f25ec

docs(linux-sandbox): tighten rollout behavior docs

98acefe

docs(linux-sandbox): remove obsolete sandbox doc

a19ab5e