feat: add codex_linux_sandbox_exe: Option<PathBuf> field to Config (#1089)

https://github.com/openai/codex/pull/1086 is a work-in-progress to make Linux sandboxing work more like Seatbelt where, for the command we want to sandbox, we build up the command and then hand it, and some sandbox configuration flags, to another command to set up the sandbox and then run it. In the case of Seatbelt, macOS provides this helper binary and provides it at `/usr/bin/sandbox-exec`. For Linux, we have to build our own and pass it through (which is what #1086 does), so this makes the new `codex_linux_sandbox_exe` available on `Config` so that it will later be available in `exec.rs` when we need it in #1086.
2025-05-22 21:52:28 -07:00
parent 63deb7c369
commit d1de7bb383
10 changed files with 75 additions and 13 deletions
--- a/codex-rs/core/src/config.rs
+++ b/codex-rs/core/src/config.rs
@@ -98,6 +98,14 @@ pub struct Config {

    /// Collection of settings that are specific to the TUI.
    pub tui: Tui,
+
+    /// Path to the `codex-linux-sandbox` executable. This must be set if
+    /// [`crate::exec::SandboxType::LinuxSeccomp`] is used. Note that this
+    /// cannot be set in the config file: it must be set in code via
+    /// [`ConfigOverrides`].
+    ///
+    /// When this program is invoked, arg0 will be set to `codex-linux-sandbox`.
+    pub codex_linux_sandbox_exe: Option<PathBuf>,
 }

 /// Base config deserialized from ~/.codex/config.toml.
@@ -222,6 +230,7 @@ pub struct ConfigOverrides {
    pub disable_response_storage: Option<bool>,
    pub model_provider: Option<String>,
    pub config_profile: Option<String>,
+    pub codex_linux_sandbox_exe: Option<PathBuf>,
 }

 impl Config {
@@ -258,6 +267,7 @@ impl Config {
            disable_response_storage,
            model_provider,
            config_profile: config_profile_key,
+            codex_linux_sandbox_exe,
        } = overrides;

        let config_profile = match config_profile_key.or(cfg.profile) {
@@ -359,6 +369,7 @@ impl Config {
            history,
            file_opener: cfg.file_opener.unwrap_or(UriBasedFileOpener::VsCode),
            tui: cfg.tui.unwrap_or_default(),
+            codex_linux_sandbox_exe,
        };
        Ok(config)
    }
@@ -699,6 +710,7 @@ disable_response_storage = true
                history: History::default(),
                file_opener: UriBasedFileOpener::VsCode,
                tui: Tui::default(),
+                codex_linux_sandbox_exe: None,
            },
            o3_profile_config
        );
@@ -737,6 +749,7 @@ disable_response_storage = true
            history: History::default(),
            file_opener: UriBasedFileOpener::VsCode,
            tui: Tui::default(),
+            codex_linux_sandbox_exe: None,
        };

        assert_eq!(expected_gpt3_profile_config, gpt3_profile_config);
@@ -790,6 +803,7 @@ disable_response_storage = true
            history: History::default(),
            file_opener: UriBasedFileOpener::VsCode,
            tui: Tui::default(),
+            codex_linux_sandbox_exe: None,
        };

        assert_eq!(expected_zdr_profile_config, zdr_profile_config);