Merge branch 'main' into add-github-action-for-nix

Author: jessfraz

codex-rs/Cargo.lock

@@ -72,6 +72,7 @@ clap = "4"
 clap_complete = "4"
 color-eyre = "0.6.3"
 crossterm = "0.28.1"
+ctor = "0.5.0"
 derive_more = "2"
 diffy = "0.4.2"
 dirs = "6"

codex-rs/Cargo.toml

@@ -28,6 +28,7 @@ codex-mcp-server = { workspace = true }
 codex-protocol = { workspace = true }
 codex-protocol-ts = { workspace = true }
 codex-tui = { workspace = true }
+ctor = { workspace = true }
 owo-colors = { workspace = true }
 serde_json = { workspace = true }
 supports-color = { workspace = true }
@@ -41,6 +42,15 @@ tokio = { workspace = true, features = [
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 
+[target.'cfg(target_os = "linux")'.dependencies]
+libc = { workspace = true }
+
+[target.'cfg(target_os = "android")'.dependencies]
+libc = { workspace = true }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+libc = { workspace = true }
+
 [dev-dependencies]
 assert_cmd = { workspace = true }
 predicates = { workspace = true }

codex-rs/cli/Cargo.toml

@@ -21,6 +21,7 @@ use std::path::PathBuf;
 use supports_color::Stream;
 
 mod mcp_cmd;
+mod pre_main_hardening;
 
 use crate::mcp_cmd::McpCli;
 use crate::proto::ProtoCli;
@@ -194,6 +195,34 @@ fn print_exit_messages(exit_info: AppExitInfo) {
     }
 }
 
+pub(crate) const CODEX_SECURE_MODE_ENV_VAR: &str = "CODEX_SECURE_MODE";
+
+/// As early as possible in the process lifecycle, apply hardening measures
+/// if the CODEX_SECURE_MODE environment variable is set to "1".
+#[ctor::ctor]
+fn pre_main_hardening() {
+    let secure_mode = match std::env::var(CODEX_SECURE_MODE_ENV_VAR) {
+        Ok(value) => value,
+        Err(_) => return,
+    };
+
+    if secure_mode == "1" {
+        #[cfg(any(target_os = "linux", target_os = "android"))]
+        crate::pre_main_hardening::pre_main_hardening_linux();
+
+        #[cfg(target_os = "macos")]
+        crate::pre_main_hardening::pre_main_hardening_macos();
+
+        #[cfg(windows)]
+        crate::pre_main_hardening::pre_main_hardening_windows();
+    }
+
+    // Always clear this env var so child processes don't inherit it.
+    unsafe {
+        std::env::remove_var(CODEX_SECURE_MODE_ENV_VAR);
+    }
+}
+
 fn main() -> anyhow::Result<()> {
     arg0_dispatch_or_else(|codex_linux_sandbox_exe| async move {
         cli_main(codex_linux_sandbox_exe).await?;

codex-rs/cli/src/main.rs

@@ -0,0 +1,98 @@
+#[cfg(any(target_os = "linux", target_os = "android"))]
+const PRCTL_FAILED_EXIT_CODE: i32 = 5;
+
+#[cfg(target_os = "macos")]
+const PTRACE_DENY_ATTACH_FAILED_EXIT_CODE: i32 = 6;
+
+#[cfg(any(target_os = "linux", target_os = "android", target_os = "macos"))]
+const SET_RLIMIT_CORE_FAILED_EXIT_CODE: i32 = 7;
+
+#[cfg(any(target_os = "linux", target_os = "android"))]
+pub(crate) fn pre_main_hardening_linux() {
+    // Disable ptrace attach / mark process non-dumpable.
+    let ret_code = unsafe { libc::prctl(libc::PR_SET_DUMPABLE, 0, 0, 0, 0) };
+    if ret_code != 0 {
+        eprintln!(
+            "ERROR: prctl(PR_SET_DUMPABLE, 0) failed: {}",
+            std::io::Error::last_os_error()
+        );
+        std::process::exit(PRCTL_FAILED_EXIT_CODE);
+    }
+
+    // For "defense in depth," set the core file size limit to 0.
+    set_core_file_size_limit_to_zero();
+
+    // Official Codex releases are MUSL-linked, which means that variables such
+    // as LD_PRELOAD are ignored anyway, but just to be sure, clear them here.
+    let ld_keys: Vec<String> = std::env::vars()
+        .filter_map(|(key, _)| {
+            if key.starts_with("LD_") {
+                Some(key)
+            } else {
+                None
+            }
+        })
+        .collect();
+
+    for key in ld_keys {
+        unsafe {
+            std::env::remove_var(key);
+        }
+    }
+}
+
+#[cfg(target_os = "macos")]
+pub(crate) fn pre_main_hardening_macos() {
+    // Prevent debuggers from attaching to this process.
+    let ret_code = unsafe { libc::ptrace(libc::PT_DENY_ATTACH, 0, std::ptr::null_mut(), 0) };
+    if ret_code == -1 {
+        eprintln!(
+            "ERROR: ptrace(PT_DENY_ATTACH) failed: {}",
+            std::io::Error::last_os_error()
+        );
+        std::process::exit(PTRACE_DENY_ATTACH_FAILED_EXIT_CODE);
+    }
+
+    // Set the core file size limit to 0 to prevent core dumps.
+    set_core_file_size_limit_to_zero();
+
+    // Remove all DYLD_ environment variables, which can be used to subvert
+    // library loading.
+    let dyld_keys: Vec<String> = std::env::vars()
+        .filter_map(|(key, _)| {
+            if key.starts_with("DYLD_") {
+                Some(key)
+            } else {
+                None
+            }
+        })
+        .collect();
+
+    for key in dyld_keys {
+        unsafe {
+            std::env::remove_var(key);
+        }
+    }
+}
+
+#[cfg(unix)]
+fn set_core_file_size_limit_to_zero() {
+    let rlim = libc::rlimit {
+        rlim_cur: 0,
+        rlim_max: 0,
+    };
+
+    let ret_code = unsafe { libc::setrlimit(libc::RLIMIT_CORE, &rlim) };
+    if ret_code != 0 {
+        eprintln!(
+            "ERROR: setrlimit(RLIMIT_CORE) failed: {}",
+            std::io::Error::last_os_error()
+        );
+        std::process::exit(SET_RLIMIT_CORE_FAILED_EXIT_CODE);
+    }
+}
+
+#[cfg(windows)]
+pub(crate) fn pre_main_hardening_windows() {
+    // TODO(mbolin): Perform the appropriate configuration for Windows.
+}