Files

Parker Thompson c26d42ab69 Fix AF_UNIX, sockpair, recvfrom in linux sandbox (#2309 )

When using codex-tui on a linux system I was unable to run `cargo
clippy` inside of codex due to:
```
[pid 3548377] socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0,  <unfinished ...>
[pid 3548370] close(8 <unfinished ...>
[pid 3548377] <... socketpair resumed>0x7ffb97f4ed60) = -1 EPERM (Operation not permitted)
```
And
```
3611300 <... recvfrom resumed>0x708b8b5cffe0, 8, 0, NULL, NULL) = -1 EPERM (Operation not permitted)
```

This PR:
* Fixes a bug that disallowed AF_UNIX to allow it on `socket()`
* Adds recvfrom() to the syscall allow list, this should be fine since
we disable opening new sockets. But we should validate there is not a
open socket inheritance issue.
* Allow socketpair to be called for AF_UNIX
* Adds tests for AF_UNIX components
* All of which allows running `cargo clippy` within the sandbox on
linux, and possibly other tooling using a fork server model + AF_UNIX
comms.

2025-08-14 17:12:41 -07:00

src

Fix AF_UNIX, sockpair, recvfrom in linux sandbox (#2309 )

2025-08-14 17:12:41 -07:00

tests

chore: introduce ConversationManager as a clearinghouse for all conversations (#2240 )

2025-08-13 13:38:18 -07:00

Cargo.toml

Auto format toml (#1745 )

2025-07-30 18:37:00 -07:00

README.md

fix: overhaul how we spawn commands under seccomp/landlock on Linux (#1086 )

2025-05-23 11:37:07 -07:00

README.md

codex-linux-sandbox

This crate is responsible for producing:

a codex-linux-sandbox standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
a lib crate that exposes the business logic of the executable as run_main() so that
- the codex-exec CLI can check if its arg0 is codex-linux-sandbox and, if so, execute as if it were codex-linux-sandbox
- this should also be true of the codex multitool CLI