Skip to content

fix: warn when bwrap cannot create user namespaces#15893

Merged
viyatb-oai merged 6 commits intomainfrom
codex/viyatb/fix-bwrap-warning-bypass
Apr 7, 2026
Merged

fix: warn when bwrap cannot create user namespaces#15893
viyatb-oai merged 6 commits intomainfrom
codex/viyatb/fix-bwrap-warning-bypass

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented Mar 26, 2026
edited
Loading

Summary

  • add a Linux startup warning when system bwrap is present but cannot create user namespaces
  • keep the Linux-specific probe, sandbox-policy gate, and stderr matching in codex-sandboxing
  • polish the missing-bwrap warning to point users at the sandbox prerequisites and OS package-manager install path

Details

  • probes system bwrap with --unshare-user, --unshare-net, and a minimal bind before command execution
  • detects known bubblewrap setup failures for RTM_NEWADDR, RTM_NEWLINK, uid-map permission denial, and No permissions to create a new namespace
  • preserves the existing suppression for sandbox-bypassed policies such as danger-full-access and external-sandbox
  • updates the Linux sandbox docs to call out the user-namespace requirement

@viyatb-oai viyatb-oai changed the title Suppress bwrap warning in danger-full-access chore: suppress bwrap warning in danger-full-access Mar 26, 2026
@viyatb-oai viyatb-oai requested a review from bolinfest March 26, 2026 18:56
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/fix-bwrap-warning-bypass branch from bcfa0c3 to 9546aab Compare March 26, 2026 19:53
@viyatb-oai viyatb-oai marked this pull request as ready for review March 26, 2026 19:56
@viyatb-oai viyatb-oai changed the title chore: suppress bwrap warning in danger-full-access fix: warn when bwrap cannot create user namespaces Mar 26, 2026
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/fix-bwrap-warning-bypass branch from d0a8a5f to b509307 Compare March 26, 2026 21:27
@viyatb-oai viyatb-oai changed the base branch from main to codex/viyatb/bwrap-config-module-followup March 26, 2026 21:27
Base automatically changed from codex/viyatb/bwrap-config-module-followup to main March 26, 2026 22:16
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/fix-bwrap-warning-bypass branch from b509307 to 29e6aa9 Compare March 26, 2026 22:18
@bromdun bromdun mentioned this pull request Mar 27, 2026
Closed
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/fix-bwrap-warning-bypass branch from f688351 to de5a50d Compare April 6, 2026 17:14
@viyatb-oai viyatb-oai requested a review from etraut-openai April 6, 2026 17:16
etraut-openai
etraut-openai approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@etraut-openai etraut-openai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - one minor spelling nit.

viyatb-oai and others added 3 commits April 6, 2026 18:01
@viyatb-oai @codex
fix: capitalize Linux in bwrap warning
fc20dcd 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
docs: polish bubblewrap warning messaging
01dbe68 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
docs: shorten namespace warning
6dc7f02 
Co-authored-by: Codex <noreply@openai.com>
@github-actions github-actions bot mentioned this pull request Apr 7, 2026
Open
viyatb-oai and others added 2 commits April 6, 2026 18:22
@viyatb-oai @codex
docs: use lowercase bubblewrap in warnings
62d21e9 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
fix: satisfy linux bwrap lints
37a9a3f 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai viyatb-oai merged commit 806e5f7 into main Apr 7, 2026
28 of 30 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/fix-bwrap-warning-bypass branch April 7, 2026 02:19
@github-actions github-actions bot locked and limited conversation to collaborators Apr 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@etraut-openai etraut-openai etraut-openai approved these changes

@bolinfest bolinfest Awaiting requested review from bolinfest

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @etraut-openai