Conversation
viyatb-oai
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7b358805d1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
codex-rs/linux-sandbox/src/mounts.rs
Outdated
| if let Err(err) = unshare_user_and_mount_namespaces() { | ||
| if is_permission_denied(&err) { | ||
| // Unprivileged user namespaces can be disabled on some systems; fall back | ||
| // to Landlock-only protections when we cannot set up the mount namespace. | ||
| return Ok(()); |
There was a problem hiding this comment.
When unprivileged user namespaces are disabled (unshare returns EPERM), this early return skips the read‑only bind mounts but the caller still proceeds to install Landlock with writable roots. Because Landlock is an allowlist, read_only_subpaths (e.g., .git/.codex under a writable root) become writable in that environment, which violates the sandbox policy and allows mutation of protected metadata (including git hooks) instead of blocking it. If fallback is needed, consider failing sandbox setup or removing writable roots/read‑only expectations when mount isolation cannot be established.
Useful? React with 👍 / 👎.
bolinfest
deleted the
codex/viyatb/fix-sandbox-landlock-failure-on-writable-root
branch
2 participants
fixes #9236
Motivation
PR_SET_NO_NEW_PRIVSis set before installing seccomp and Landlock restrictions to avoid kernelEPERM/LandlockRestrictordering issues.Description
is_permission_deniedhelper that detectsEPERM/PermissionDeniedfromCodexErrto drive fallback logic.apply_read_only_mountsskip read-only bind-mount setup and returnOk(())whenunshare_user_and_mount_namespaces()fails with permission-denied so Landlock rules can still be installed.set_no_new_privs()and call it fromapply_sandbox_policy_to_current_threadbefore installing seccomp filters and Landlock rules when disk or network access is restricted.