Skip to content

fix: reopen writable linux carveouts under denied parents#14514

Merged
viyatb-oai merged 9 commits intomainfrom
codex/viyatb/linux-bwrap-carveout-followup
Mar 13, 2026
Merged

fix: reopen writable linux carveouts under denied parents#14514
viyatb-oai merged 9 commits intomainfrom
codex/viyatb/linux-bwrap-carveout-followup

Conversation

@viyatb-oai
Copy link
Collaborator

@viyatb-oai viyatb-oai commented Mar 12, 2026

Summary

  • preserve Linux bubblewrap semantics for write -> none -> write filesystem policies by recreating masked mount targets before rebinding narrower writable descendants
  • add a Linux runtime regression for /repo = write, /repo/a = none, /repo/a/b = write so the nested writable child is exercised under bubblewrap
  • document the supported legacy Landlock fallback and the split-policy bubblewrap behavior for overlapping carveouts

Example

Given a split filesystem policy like:

"/repo" = "write"
"/repo/a" = "none"
"/repo/a/b" = "write"

this PR keeps /repo writable, masks /repo/a, and still reopens /repo/a/b as writable again under bubblewrap.

Testing

  • just fmt
  • cargo test -p codex-linux-sandbox
  • cargo clippy -p codex-linux-sandbox --tests -- -D warnings

@viyatb-oai viyatb-oai requested a review from celia-oai March 12, 2026 22:03
@viyatb-oai viyatb-oai enabled auto-merge (squash) March 12, 2026 22:26
@github-actions github-actions bot mentioned this pull request Mar 13, 2026
Open
@viyatb-oai viyatb-oai merged commit f194d4b into main Mar 13, 2026
52 of 54 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/linux-bwrap-carveout-followup branch March 13, 2026 01:36
@github-actions github-actions bot locked and limited conversation to collaborators Mar 13, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@celia-oai celia-oai celia-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @celia-oai