Files

Michael Bolin 92f3566d78 chore: introduce SandboxPolicy::WorkspaceWrite::include_default_writable_roots (#1785 )

Without this change, it is challenging to create integration tests to
verify that the folders not included in `writable_roots` in
`SandboxPolicy::WorkspaceWrite` are read-only because, by default,
`get_writable_roots_with_cwd()` includes `TMPDIR`, which is where most
integrationt
tests do their work.

This introduces a `use_exact_writable_roots` option to disable the
default
includes returned by `get_writable_roots_with_cwd()`.




---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1785).
* #1765
* __->__ #1785

2025-08-01 14:15:55 -07:00

src

fix: move arg0 handling out of codex-linux-sandbox and into its own crate (#1697 )

2025-07-28 08:31:24 -07:00

tests

chore: introduce SandboxPolicy::WorkspaceWrite::include_default_writable_roots (#1785 )

2025-08-01 14:15:55 -07:00

Cargo.toml

Auto format toml (#1745 )

2025-07-30 18:37:00 -07:00

README.md

fix: overhaul how we spawn commands under seccomp/landlock on Linux (#1086 )

2025-05-23 11:37:07 -07:00

README.md

codex-linux-sandbox

This crate is responsible for producing:

a codex-linux-sandbox standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
a lib crate that exposes the business logic of the executable as run_main() so that
- the codex-exec CLI can check if its arg0 is codex-linux-sandbox and, if so, execute as if it were codex-linux-sandbox
- this should also be true of the codex multitool CLI