Move unified-exec sandbox launch to exec-server by starr-openai · Pull Request #16736 · openai/codex

starr-openai · 2026-04-03T23:33:14Z

Summary

add a shared SandboxLaunchConfig that can be serialized across the exec-server protocol
move remote unified-exec sandbox argv construction into codex-exec-server
keep zsh-fork and managed-network gaps explicit with TODOs while preserving current behavior

Validation

just fmt
remote via codex-applied-devbox: cargo test -p codex-exec-server
remote via codex-applied-devbox: cargo test -p codex-sandboxing
remote via codex-applied-devbox: cargo test -p codex-core unified_exec
remote Docker smoke against containerized exec-server: verified sandbox=None -> SandboxType::None, auto selects LinuxSeccomp when policy requires it, and require forces LinuxSeccomp across env boundary (restrictive auto case in Docker still depends on host kernel userns support)

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 13c8fde3cf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

codex-rs/exec-server/src/local_process.rs

codex-rs/sandboxing/src/seatbelt_tests.rs

codex-rs/sandboxing/src/manager.rs

codex-rs/core/tests/suite/unified_exec.rs

codex-rs/exec-server/tests/process.rs

codex-rs/exec-server/tests/exec_process.rs

codex-rs/exec-server/tests/common/exec_server.rs

codex-rs/core/src/unified_exec/process_manager.rs

codex-rs/core/src/tools/runtimes/unified_exec.rs

codex-rs/exec-server/src/local_process.rs

pakrym-oai

Reduce complexity in codex-sandboxing if possible
Use codex_arg0 to figure out the linux sandbox path
Use single code path in unified exec, fail when using zsh/additional permissions with remote.

codex-rs/exec-server/src/protocol.rs

Co-authored-by: Codex <noreply@openai.com>

codex-rs/exec-server/src/local_process.rs

codex-rs/core/src/tools/runtimes/unified_exec.rs

Use /bin/sh for the PTY/stdin and write-denial probes so the tests do not depend on /usr/bin/python3 being usable on macOS Bazel runners. Co-authored-by: Codex <noreply@openai.com>

pakrym-oai · 2026-04-08T21:36:59Z

codex-rs/exec-server/src/server.rs

    run_main_with_listen_url(DEFAULT_LISTEN_URL).await
 }

 pub async fn run_main_with_listen_url(


delete this?

Done in 8cf18dc. I removed the unused run_main_with_listen_url() wrapper/export, updated run_main() to call run_main_with_runtime(DEFAULT_LISTEN_URL, ...) directly, and fixed the README export list to point at run_main_with_runtime().

doesn't actually look like it's removed

codex-rs/core/src/tools/runtimes/unified_exec.rs

codex-rs/core/src/sandboxing/mod.rs

codex-rs/exec-server/src/local_process.rs

codex-rs/sandboxing/src/seatbelt_tests.rs

codex-rs/sandboxing/src/manager_tests.rs

codex-rs/sandboxing/src/manager.rs

Prepare sandbox env inside the sandbox transform result so core and exec-server do not have to mutate the request at their spawn boundaries. Co-authored-by: Codex <noreply@openai.com>

pakrym-oai

My main q is whether we can maintain a single execution path like we do today (even if some features like network don't work over the remote executor).

Then there are also some non obvious changes to sandboxing logic like moving where env vars are set and how the preference is used.

starr-openai · 2026-04-08T22:19:55Z

Responding to the latest review summary: I pushed 61500ee to make the sandboxing pieces less surprising. Normal core/exec-server launches now pass SandboxablePreference::Auto and let SandboxManager::transform() select the platform sandbox; the public SandboxablePreference::from_selected_sandbox() adapter is gone. The env var prep still has one owner: SandboxExecRequest::prepare_env_for_spawn() inside the manager transform result. The only forced preference left is internal to SandboxAttempt, where the orchestrator is intentionally retrying a concrete sandboxed/non-sandboxed attempt.

On the single execution path question: this PR now shares the sandbox transform path via SandboxLaunchConfig + SandboxManager::transform(), but I have not collapsed local unified-exec process spawning through exec-server in this review-fix commit. The local fallback still owns the zsh-fork/StdoutStream/inherited-fd spawn lifecycle. I think the clean next step is to move those local-spawn features behind ExecBackend; doing that here would be a broader local-spawn migration than the sandbox-transform cleanup.

Co-authored-by: Codex <noreply@openai.com>

pakrym-oai · 2026-04-08T23:59:49Z

codex-rs/arg0/src/lib.rs

-        // Safety: [`run_main`] never returns.
-        codex_linux_sandbox::run_main();
-    } else if exe_name == APPLY_PATCH_ARG0 || exe_name == MISSPELLED_APPLY_PATCH_ARG0 {
+    codex_linux_sandbox::dispatch_if_requested();


why did this have to change?

this doesn't strictly need to change - the main thing was to pull codex_linux_sandbox::dispatch_if_requested() so we can call that from the exec-server main, and thi sjust re-uses the same function.

why can't we use the entire arg0_dispatch_or_else as every other entrypoint does?

I think we need to split exec-server bin and lib to avoid the cicrular dependency. And use the existing pattern.

pakrym-oai · 2026-04-09T01:42:19Z

codex-rs/core/src/tools/runtimes/unified_exec.rs

+            .turn
+            .environment
+            .as_ref()
+            .filter(|environment| environment.exec_server_url().is_some())


we already have this fork in

codex/codex-rs/core/src/unified_exec/process_manager.rs

Line 596 in 7b6486a

if environment.is_remote() {

I don't think we should add another fork and another entry point to remote exec

pakrym-oai · 2026-04-09T01:43:12Z

codex-rs/core/src/tools/sandboxing.rs

 }

 impl<'a> SandboxAttempt<'a> {
+    pub(crate) fn sandbox_preference(&self) -> SandboxablePreference {


same comment as before, we select sandbox type based on preference, feels a bit sus to do the reverse. Are you sure having htis method makes sense?

Should SandboxAttempt store preference directly instead?

pakrym-oai · 2026-04-09T01:44:21Z

codex-rs/exec-server/src/environment.rs

                env: Default::default(),
                tty: false,
                arg0: None,
+                sandbox: SandboxLaunchConfig::no_sandbox(


do you agree with codex that special SandboxLaunchConfig is better than Option<SandboxLaunchConfig> pattern that we used for Fs abstraction?

pakrym-oai · 2026-04-09T01:45:31Z

codex-rs/linux-sandbox/src/lib.rs

 }
+
+#[cfg(target_os = "linux")]
+pub fn dispatch_if_requested() {


we should break the circular dependency in a separte pr and keep arg0/sandboxing code as is.

pakrym-oai · 2026-04-09T01:46:11Z

codex-rs/sandboxing/src/manager.rs

-    pub windows_sandbox_level: WindowsSandboxLevel,
-    pub windows_sandbox_private_desktop: bool,
+impl SandboxExecRequest {
+    pub fn prepare_env_for_spawn(&mut self) {


What is the reason this had to move?

chatgpt-codex-connector bot reviewed Apr 3, 2026

View reviewed changes

codex-rs/exec-server/src/local_process.rs Outdated Show resolved Hide resolved

github-actions bot mentioned this pull request Apr 4, 2026

📊 AI CLI 工具社区动态日报 2026-04-04 gsscsd/big_model_radar#130

Open

starr-openai added a commit that referenced this pull request Apr 6, 2026

codex: fix CI failure on PR #16736

f5d15d0

starr-openai force-pushed the exec-server-sandbox-0403 branch from 13c8fde to f5d15d0 Compare April 6, 2026 17:23

starr-openai added a commit that referenced this pull request Apr 6, 2026

codex: fix CI failure on PR #16736

da8e023

starr-openai force-pushed the exec-server-sandbox-0403 branch from f5d15d0 to da8e023 Compare April 6, 2026 19:07