Fix AF_UNIX, sockpair, recvfrom in linux sandbox (#2309)

When using codex-tui on a linux system I was unable to run `cargo
clippy` inside of codex due to:
```
[pid 3548377] socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0,  <unfinished ...>
[pid 3548370] close(8 <unfinished ...>
[pid 3548377] <... socketpair resumed>0x7ffb97f4ed60) = -1 EPERM (Operation not permitted)
```
And
```
3611300 <... recvfrom resumed>0x708b8b5cffe0, 8, 0, NULL, NULL) = -1 EPERM (Operation not permitted)
```

This PR:
* Fixes a bug that disallowed AF_UNIX to allow it on `socket()`
* Adds recvfrom() to the syscall allow list, this should be fine since
we disable opening new sockets. But we should validate there is not a
open socket inheritance issue.
* Allow socketpair to be called for AF_UNIX
* Adds tests for AF_UNIX components
* All of which allows running `cargo clippy` within the sandbox on
linux, and possibly other tooling using a fork server model + AF_UNIX
comms.

This commit is contained in:

Parker Thompson

2025-08-14 17:12:41 -07:00

committed by

GitHub

parent e9b597cfa3

commit c26d42ab69

4 changed files with 136 additions and 4 deletions

									
										1

codex-rs/exec/Cargo.toml
									
												View File
												
				@@ -41,5 +41,6 @@ tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }

				[dev-dependencies]

				assert_cmd = "2"

				libc = "0.2"

				predicates = "3"

				tempfile = "3.13.0"

Fix AF_UNIX, sockpair, recvfrom in linux sandbox (#2309)

1 codex-rs/exec/Cargo.toml Unescape Escape View File

1

codex-rs/exec/Cargo.toml

View File