Skip to content

fix: warn when bwrap cannot create user namespaces#15893

Open
viyatb-oai wants to merge 3 commits intomainfrom
codex/viyatb/fix-bwrap-warning-bypass
Open

fix: warn when bwrap cannot create user namespaces#15893
viyatb-oai wants to merge 3 commits intomainfrom
codex/viyatb/fix-bwrap-warning-bypass

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented Mar 26, 2026
edited
Loading

Summary

  • suppress the missing-bubblewrap startup warning when sandboxing is intentionally bypassed with danger-full-access
  • add a startup warning when system bwrap is present but cannot create user namespaces
  • keep the Linux-specific probe and stderr matching in codex-sandboxing, with codex-core only handling the sandbox-policy gate

Details

  • detects the known bubblewrap failures for RTM_NEWADDR, RTM_NEWLINK, uid-map permission denial, and No permissions to create a new namespace
  • keeps this as a startup warning only; command execution still falls back to the existing sandbox behavior
  • updates the Linux sandbox docs to call out the user-namespace requirement

Validation

  • cargo test -p codex-sandboxing
  • cargo test -p codex-core system_bwrap_warning_skips_danger_full_access --lib
  • just fix -p codex-sandboxing
  • just fmt
  • just argument-comment-lint
  • git diff --check origin/main...HEAD
@viyatb-oai viyatb-oai changed the title Suppress bwrap warning in danger-full-access Mar 26, 2026
@viyatb-oai viyatb-oai requested a review from bolinfest March 26, 2026 18:56
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/fix-bwrap-warning-bypass branch from bcfa0c3 to 9546aab Compare March 26, 2026 19:53
@viyatb-oai viyatb-oai marked this pull request as ready for review March 26, 2026 19:56
@viyatb-oai viyatb-oai changed the title chore: suppress bwrap warning in danger-full-access Mar 26, 2026
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/fix-bwrap-warning-bypass branch from d0a8a5f to b509307 Compare March 26, 2026 21:27
@viyatb-oai viyatb-oai changed the base branch from main to codex/viyatb/bwrap-config-module-followup March 26, 2026 21:27
Base automatically changed from codex/viyatb/bwrap-config-module-followup to main March 26, 2026 22:16
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/fix-bwrap-warning-bypass branch from b509307 to 29e6aa9 Compare March 26, 2026 22:18
@bromdun bromdun mentioned this pull request Mar 27, 2026
Closed
@viyatb-oai @codex
Merge origin/main into codex/viyatb/fix-bwrap-warning-bypass
f688351 
Co-authored-by: Codex <noreply@openai.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@viyatb-oai