feat(linux-sandbox): vendor bubblewrap and wire it with FFI by viyatb-oai · Pull Request #10413 · openai/codex

viyatb-oai · 2026-02-02T21:18:58Z

Summary

Vendor Bubblewrap into the repo and add minimal build plumbing in codex-linux-sandbox to compile/link it.

Why

We want to move Linux sandboxing toward Bubblewrap, but in a safe two-step rollout:

vendoring/build setup (this PR),
runtime integration (follow-up PR).

Included

Add codex-rs/vendor/bubblewrap sources.
Add build-time FFI path in codex-rs/linux-sandbox.
Update build.rs rerun tracking for vendored files.
Small vendored compile warning fix (sockaddr_nl full init).

follow up in #9938

…ndoring

bolinfest

Exciting!

bolinfest · 2026-02-03T06:14:43Z

codex-rs/vendor/bubblewrap/.github/workflows/check.yml

@@ -0,0 +1,105 @@
+name: CI checks


We should probably exclude the .github/workflows folder from the bubblewrap repo? We aren't going to run it, so I worry it may just confuse things?

Though I concede it makes the diff with the true repo slightly unclean.

I asked codex about it and apparently Github actions only takes workflows from the top level .github directory

codex-rs/linux-sandbox/build.rs

…ndoring

viyatb-oai added 4 commits February 2, 2026 12:49

feat(linux-sandbox): add build-time bubblewrap FFI path

b113597

feat(linux-sandbox): vendor bubblewrap sources

c1e4692

fix(linux-sandbox): rerun build.rs for vendored bwrap

1ed1350

fix(linux-sandbox): fully initialize sockaddr_nl

47bebe6

viyatb-oai requested a review from bolinfest February 2, 2026 21:18

viyatb-oai added 2 commits February 2, 2026 13:31

chore(linux-sandbox): keep smoke script out of vendoring split

876df3f

chore(linux-sandbox): bump vendoring branch

077419b

viyatb-oai force-pushed the codex/viyatb/bwrap-vendoring branch from 3a4a6ed to 077419b Compare February 3, 2026 04:27

Merge remote-tracking branch 'origin/main' into codex/viyatb/bwrap-ve…

7e05878

…ndoring

bolinfest approved these changes Feb 3, 2026

View reviewed changes

viyatb-oai added 2 commits February 2, 2026 22:34

style(linux-sandbox): use raw string for generated config header

142d041

Merge remote-tracking branch 'origin/main' into codex/viyatb/bwrap-ve…

e3d02af

…ndoring

viyatb-oai merged commit f956cc2 into main Feb 3, 2026
32 checks passed

viyatb-oai deleted the codex/viyatb/bwrap-vendoring branch February 3, 2026 07:33

github-actions bot locked and limited conversation to collaborators Feb 3, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(linux-sandbox): vendor bubblewrap and wire it with FFI#10413

feat(linux-sandbox): vendor bubblewrap and wire it with FFI#10413
viyatb-oai merged 9 commits intomainfrom
codex/viyatb/bwrap-vendoring

viyatb-oai commented Feb 2, 2026

Uh oh!

bolinfest left a comment

Uh oh!

bolinfest Feb 3, 2026

Uh oh!

viyatb-oai Feb 3, 2026

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

viyatb-oai commented Feb 2, 2026

Summary

Why

Included

Uh oh!

bolinfest left a comment

Choose a reason for hiding this comment

Uh oh!

bolinfest Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

viyatb-oai Feb 3, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants