diff --git a/codex-rs/Cargo.toml b/codex-rs/Cargo.toml index 80bae6550a..d8b8f4ebda 100644 --- a/codex-rs/Cargo.toml +++ b/codex-rs/Cargo.toml @@ -129,7 +129,7 @@ image = { version = "^0.25.8", default-features = false } indexmap = "2.12.0" insta = "1.43.2" itertools = "0.14.0" -keyring = "3.6" +keyring = { version = "3.6", default-features = false } landlock = "0.4.1" lazy_static = "1" libc = "0.2.175" diff --git a/codex-rs/core/Cargo.toml b/codex-rs/core/Cargo.toml index ab732c910c..4d8f43778c 100644 --- a/codex-rs/core/Cargo.toml +++ b/codex-rs/core/Cargo.toml @@ -40,12 +40,7 @@ eventsource-stream = { workspace = true } futures = { workspace = true } http = { workspace = true } indexmap = { workspace = true } -keyring = { workspace = true, features = [ - "apple-native", - "crypto-rust", - "linux-native-async-persistent", - "windows-native", -] } +keyring = { workspace = true, features = ["crypto-rust"] } libc = { workspace = true } mcp-types = { workspace = true } os_info = { workspace = true } @@ -90,9 +85,11 @@ wildmatch = { workspace = true } [target.'cfg(target_os = "linux")'.dependencies] landlock = { workspace = true } seccompiler = { workspace = true } +keyring = { workspace = true, features = ["linux-native-async-persistent"] } [target.'cfg(target_os = "macos")'.dependencies] core-foundation = "0.9" +keyring = { workspace = true, features = ["apple-native"] } # Build OpenSSL from source for musl builds. [target.x86_64-unknown-linux-musl.dependencies] @@ -102,6 +99,12 @@ openssl-sys = { workspace = true, features = ["vendored"] } [target.aarch64-unknown-linux-musl.dependencies] openssl-sys = { workspace = true, features = ["vendored"] } +[target.'cfg(target_os = "windows")'.dependencies] +keyring = { workspace = true, features = ["windows-native"] } + +[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies] +keyring = { workspace = true, features = ["sync-secret-service"] } + [dev-dependencies] assert_cmd = { workspace = true } assert_matches = { workspace = true } diff --git a/codex-rs/keyring-store/Cargo.toml b/codex-rs/keyring-store/Cargo.toml index f662e5d4ff..932693de50 100644 --- a/codex-rs/keyring-store/Cargo.toml +++ b/codex-rs/keyring-store/Cargo.toml @@ -7,10 +7,17 @@ version = { workspace = true } workspace = true [dependencies] -keyring = { workspace = true, features = [ - "apple-native", - "crypto-rust", - "linux-native-async-persistent", - "windows-native", -] } +keyring = { workspace = true, features = ["crypto-rust"] } tracing = { workspace = true } + +[target.'cfg(target_os = "linux")'.dependencies] +keyring = { workspace = true, features = ["linux-native-async-persistent"] } + +[target.'cfg(target_os = "macos")'.dependencies] +keyring = { workspace = true, features = ["apple-native"] } + +[target.'cfg(target_os = "windows")'.dependencies] +keyring = { workspace = true, features = ["windows-native"] } + +[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies] +keyring = { workspace = true, features = ["sync-secret-service"] } diff --git a/codex-rs/process-hardening/Cargo.toml b/codex-rs/process-hardening/Cargo.toml index 7294b6e268..2ba4b0d5ca 100644 --- a/codex-rs/process-hardening/Cargo.toml +++ b/codex-rs/process-hardening/Cargo.toml @@ -11,11 +11,4 @@ path = "src/lib.rs" workspace = true [dependencies] -[target.'cfg(target_os = "linux")'.dependencies] -libc = { workspace = true } - -[target.'cfg(target_os = "android")'.dependencies] -libc = { workspace = true } - -[target.'cfg(target_os = "macos")'.dependencies] libc = { workspace = true } diff --git a/codex-rs/process-hardening/src/lib.rs b/codex-rs/process-hardening/src/lib.rs index a787b4097d..0a624fb387 100644 --- a/codex-rs/process-hardening/src/lib.rs +++ b/codex-rs/process-hardening/src/lib.rs @@ -10,6 +10,10 @@ pub fn pre_main_hardening() { #[cfg(target_os = "macos")] pre_main_hardening_macos(); + // On FreeBSD and OpenBSD, apply similar hardening to Linux/macOS: + #[cfg(any(target_os = "freebsd", target_os = "openbsd"))] + pre_main_hardening_bsd(); + #[cfg(windows)] pre_main_hardening_windows(); } @@ -20,7 +24,13 @@ const PRCTL_FAILED_EXIT_CODE: i32 = 5; #[cfg(target_os = "macos")] const PTRACE_DENY_ATTACH_FAILED_EXIT_CODE: i32 = 6; -#[cfg(any(target_os = "linux", target_os = "android", target_os = "macos"))] +#[cfg(any( + target_os = "linux", + target_os = "android", + target_os = "macos", + target_os = "freebsd", + target_os = "openbsd" +))] const SET_RLIMIT_CORE_FAILED_EXIT_CODE: i32 = 7; #[cfg(any(target_os = "linux", target_os = "android"))] @@ -57,6 +67,27 @@ pub(crate) fn pre_main_hardening_linux() { } } +#[cfg(any(target_os = "freebsd", target_os = "openbsd"))] +pub(crate) fn pre_main_hardening_bsd() { + // FreeBSD/OpenBSD: set RLIMIT_CORE to 0 and clear LD_* env vars + set_core_file_size_limit_to_zero(); + + let ld_keys: Vec = std::env::vars() + .filter_map(|(key, _)| { + if key.starts_with("LD_") { + Some(key) + } else { + None + } + }) + .collect(); + for key in ld_keys { + unsafe { + std::env::remove_var(key); + } + } +} + #[cfg(target_os = "macos")] pub(crate) fn pre_main_hardening_macos() { // Prevent debuggers from attaching to this process. diff --git a/codex-rs/rmcp-client/Cargo.toml b/codex-rs/rmcp-client/Cargo.toml index e9f832e655..92591a09e7 100644 --- a/codex-rs/rmcp-client/Cargo.toml +++ b/codex-rs/rmcp-client/Cargo.toml @@ -16,12 +16,7 @@ codex-keyring-store = { workspace = true } codex-protocol = { workspace = true } dirs = { workspace = true } futures = { workspace = true, default-features = false, features = ["std"] } -keyring = { workspace = true, features = [ - "apple-native", - "crypto-rust", - "linux-native-async-persistent", - "windows-native", -] } +keyring = { workspace = true, features = ["crypto-rust"] } mcp-types = { path = "../mcp-types" } oauth2 = "5" reqwest = { version = "0.12", default-features = false, features = [ @@ -62,3 +57,14 @@ escargot = { workspace = true } pretty_assertions = { workspace = true } serial_test = { workspace = true } tempfile = { workspace = true } +[target.'cfg(target_os = "linux")'.dependencies] +keyring = { workspace = true, features = ["linux-native-async-persistent"] } + +[target.'cfg(target_os = "macos")'.dependencies] +keyring = { workspace = true, features = ["apple-native"] } + +[target.'cfg(target_os = "windows")'.dependencies] +keyring = { workspace = true, features = ["windows-native"] } + +[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies] +keyring = { workspace = true, features = ["sync-secret-service"] }