Skip to content

linux-sandbox: Always compile with optimizations #13264

Open
Open
linux-sandbox: Always compile with optimizations#13264
Labels
CLIIssues related to the Codex CLIbugSomething isn't workingsandboxIssues related to permissions or sandboxing
@javierhonduco

Description

@javierhonduco
javierhonduco
opened on Mar 2, 2026

Compiling bubblewrap with optimizations has several advantages:

  1. Parity with bringing it as a pre-built binary, which typically will be built with optimizations
  2. In dev mode (--debug), the native code can be hardened. Hardening won't work without optimizations and it's quite useful to detect bugs. For this reason, nix enables it by default
  3. Cleans warnings when compiling with nix

This can be done with the following patch. As of now it'll use the same level of optimizations as Rust (O0 in dev mode and O3 in release)

diff --git a/codex-rs/linux-sandbox/build.rs b/codex-rs/linux-sandbox/build.rs
index 700aade40..ee767b32d 100644
--- a/codex-rs/linux-sandbox/build.rs
+++ b/codex-rs/linux-sandbox/build.rs
@@ -68,7 +68,9 @@ fn try_build_vendored_bwrap() -> Result<(), String> {
         .include(&src_dir)
         .define("_GNU_SOURCE", None)
         // Rename `main` so we can call it via FFI.
-        .define("main", Some("bwrap_main"));
+        .define("main", Some("bwrap_main"))
+        .opt_level(2);
+
     for include_path in libcap.include_paths {
         // Use -idirafter so target sysroot headers win (musl cross builds),
         // while still allowing libcap headers from the host toolchain.

Without this patch, under nix, these warnings are emitted:

   Compiling codex-linux-sandbox v0.0.0 (/home/javierhonduco/git/codex/codex-rs/linux-sandbox)
warning: codex-linux-sandbox@0.0.0: In file included from /home/javierhonduco/git/codex/codex-rs/linux-sandbox/../vendor/bubblewrap/bubblewrap.c:22:
warning: codex-linux-sandbox@0.0.0: In file included from /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/poll.h:1:
warning: codex-linux-sandbox@0.0.0: In file included from /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/sys/poll.h:22:
warning: codex-linux-sandbox@0.0.0: /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/features.h:435:4: warning: _FORTIFY_SOURCE requires compiling with optimization (-O) [-W#warnings]
warning: codex-linux-sandbox@0.0.0:   435 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
warning: codex-linux-sandbox@0.0.0:       |    ^
warning: codex-linux-sandbox@0.0.0: In file included from /home/javierhonduco/git/codex/codex-rs/linux-sandbox/../vendor/bubblewrap/bind-mount.c:22:
warning: codex-linux-sandbox@0.0.0: In file included from /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/sys/mount.h:24:
warning: codex-linux-sandbox@0.0.0: In file included from /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/fcntl.h:25:
warning: codex-linux-sandbox@0.0.0: /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/features.h:435:4: warning: _FORTIFY_SOURCE requires compiling with optimization (-O) [-W#warnings]
warning: codex-linux-sandbox@0.0.0:   435 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
warning: codex-linux-sandbox@0.0.0:       |    ^
warning: codex-linux-sandbox@0.0.0: In file included from /home/javierhonduco/git/codex/codex-rs/linux-sandbox/../vendor/bubblewrap/network.c:22:
warning: codex-linux-sandbox@0.0.0: In file included from /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/arpa/inet.h:21:
warning: codex-linux-sandbox@0.0.0: /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/features.h:435:4: warning: _FORTIFY_SOURCE requires compiling with optimization (-O) [-W#warnings]
warning: codex-linux-sandbox@0.0.0:   435 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
warning: codex-linux-sandbox@0.0.0:       |    ^
warning: codex-linux-sandbox@0.0.0: In file included from /home/javierhonduco/git/codex/codex-rs/linux-sandbox/../vendor/bubblewrap/utils.c:21:
warning: codex-linux-sandbox@0.0.0: In file included from /home/javierhonduco/git/codex/codex-rs/linux-sandbox/../vendor/bubblewrap/utils.h:22:
warning: codex-linux-sandbox@0.0.0: In file included from /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/assert.h:35:
warning: codex-linux-sandbox@0.0.0: /nix/store/5d312v017ffzy1w5bbgdb82hikmc88g3-glibc-2.42-47-dev/include/features.h:435:4: warning: _FORTIFY_SOURCE requires compiling with optimization (-O) [-W#warnings]
warning: codex-linux-sandbox@0.0.0:   435 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
warning: codex-linux-sandbox@0.0.0:       |    ^
warning: codex-linux-sandbox@0.0.0: 1 warning generated.
warning: codex-linux-sandbox@0.0.0: 1 warning generated.
warning: codex-linux-sandbox@0.0.0: 1 warning generated.
warning: codex-linux-sandbox@0.0.0: 1 warning generated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    CLIIssues related to the Codex CLIbugSomething isn't workingsandboxIssues related to permissions or sandboxing

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions