fix(linux-sandbox): preserve detached children#14891
Open
viyatb-oai wants to merge 15 commits intomainfrom
Open
fix(linux-sandbox): preserve detached children#14891viyatb-oai wants to merge 15 commits intomainfrom
viyatb-oai wants to merge 15 commits intomainfrom
Conversation
viyatb-oai
force-pushed
the
codex/viyatb/fix-linux-sandbox-detached-children
branch
from
7dcd5f3 to
e2b7bde
Compare
…x-sandbox-detached-children # Conflicts: # codex-rs/linux-sandbox/tests/suite/landlock.rs
viyatb-oai
force-pushed
the
codex/viyatb/fix-linux-sandbox-detached-children
branch
from
e4595d5 to
5ac5801
Compare
bolinfest
reviewed
Mar 18, 2026
bolinfest
reviewed
Mar 18, 2026
bolinfest
reviewed
Mar 18, 2026
bolinfest
reviewed
Mar 18, 2026
…x-sandbox-detached-children
…x-sandbox-detached-children # Conflicts: # codex-rs/core/src/exec.rs # codex-rs/core/src/landlock.rs # codex-rs/core/src/sandboxing/mod.rs # codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs # codex-rs/sandboxing/src/policy_transforms_tests.rs
…x-sandbox-detached-children # Conflicts: # codex-rs/core/src/landlock.rs # codex-rs/linux-sandbox/src/linux_run_main.rs # codex-rs/sandboxing/src/lib.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--die-with-parentfor Linux sandbox tool invocations so detached descendants can survive after the initial one-shot command exits--unshare-userand--unshare-pidso the sandboxed process tree still runs in isolated user and PID namespacesContext
This addresses regression B from #14875. Regression A was split into a separate PR: #14890.
The important detail here is that the regression is not caused by the PID namespace by itself. The failing behavior is that an intentionally detached child still gets torn down when bubblewrap is asked to tie sandbox lifetime to the original parent process. This PR keeps the namespace isolation and scopes the behavior change to removing
--die-with-parent.That means the semantic change is narrow but real: detached descendants can now outlive the initial one-shot helper process when the caller intentionally launches them that way. That is what restores the detached-child use case behind the WSL / Playwright bridge regression, but it also means intentionally detached sandbox descendants may remain alive if the original helper exits unexpectedly.
Validation
just fmtcargo test -p codex-linux-sandboxcargo clippy -p codex-linux-sandbox --tests -- -D warningscargo cleanNote: this checkout is macOS, so the Linux-only runtime tests compile but do not execute locally here.