[linux sandbox] Isolate IPC namespace in bubblewrap

[evawong-oai]

Why

• The Linux bubblewrap sandbox already isolates user and PID namespaces, and can isolate the network namespace, but it still shared the host IPC namespace.
• That left same user System V IPC objects reachable from sandboxed commands, giving sandboxed code a host communication path outside filesystem and network controls.
• Adding bubblewrap IPC isolation closes that enforcement gap without changing permission profile shape or app server protocol.
• This is intentionally just the bubblewrap enforcement flag, so it should not get in the way of the current PermissionProfile migration for Linux enforcement or any later memory isolation design.

Summary

• Add --unshare-ipc to the Linux bubblewrap argv when bubblewrap is active.
• Update bubblewrap argv fixture expectations.
• Add a Linux regression that seeds a host System V shared memory segment and verifies the sandboxed command cannot attach to it.
• Keep the existing /dev/shm workflow validated.

Validation

• Full validation automation on evawong-pr-validation: 13 passed, 0 failed, 1 skipped.
• Latest PR head validation log: /home/dev-user/codex-bugb16097-pr-validation/logs/20260430T222251Z-pr20240-codex-comments-main.log.
• Local just fmt.
• Local git diff --check.
• The remaining skipped smoke is UNIX socket creation under the active :workspace permissions profile. This is separate from System V IPC namespace isolation.

Tickets

• Linear: https://linear.app/openai/issue/BUGB-16097/missing-unshare-ipc-in-codexs-default-linux-bubblewrap-sandbox-allows
• Bugcrowd: https://tracker.bugcrowd.com/openai/submissions/6e34212b-c1bb-495b-b02e-e466c36ab04f

[evawong-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[evawong-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

codex/codex-rs/sandboxing/src/manager.rs

Lines 317 to 318 in eec6cc3

	let requires_bubblewrap = !use_legacy_landlock
	&& (!file_system_sandbox_policy.has_full_disk_write_access() || allow_network_for_proxy);

Reject WSL1 when IPC isolation requires bubblewrap

Update the WSL1 gate to consider memory IPC isolation. select_initial can now pick LinuxSeccomp for managed full-access profiles, and linux_run_main will invoke bwrap when memory_profile.should_unshare_ipc() is true. But this check still treats unrestricted/no-proxy as “no bwrap required”, so WSL1 paths pass validation and then fail later at runtime with unsupported bwrap behavior.

---

codex/codex-rs/linux-sandbox/src/linux_run_main.rs

Lines 268 to 270 in eec6cc3

	if use_legacy_landlock
	&& file_system_sandbox_policy
	.needs_direct_runtime_enforcement(network_sandbox_policy, sandbox_policy_cwd)

Reject legacy landlock when IPC isolation is required

Block --use-legacy-landlock when memory isolation is required. This guard only checks direct-runtime filesystem enforcement, so managed unrestricted profiles (now defaulting to isolate_ipc=true) are allowed in legacy mode, which skips bubblewrap and never adds --unshare-ipc, leaving host IPC shared contrary to the new default.

---

codex/codex-rs/tools/src/tool_config.rs

Line 365 in eec6cc3

} => !file_system.to_sandbox_policy().has_full_disk_write_access() || !network.is_enabled(),

Account for memory isolation in unified-exec Windows gating

Include memory-based sandbox requirements in this predicate. After this change, managed unrestricted+network-enabled profiles still require platform sandbox (for IPC isolation), but this check treats them as sandbox-free and keeps UnifiedExec enabled on Windows. That bypasses the intended fallback path for sandbox-required managed sessions and can route commands through an incompatible backend.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[evawong-oai]

Addressing the Codex review above.

1. The review was written against commit eec6cc3, when this PR still carried the broader memory permissions design.
2. The current head cfe2e46 no longer changes PermissionProfile, app server protocol, WSL1 gating, legacy landlock gating, or UnifiedExec gating.
3. The current scope is only the Linux bubblewrap IPC namespace flag plus Linux sandbox tests.
4. Because the review findings all depended on the removed memory permissions design, there is no code change to carry forward for those findings in this PR.

[evawong-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cfe2e46620

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".