Skip to content

Commit 43615be

Browse files
authored
chore: move pre_main_hardening() utility into its own crate (openai#4403)
1 parent 9ee6e6f commit 43615be

6 files changed

Lines changed: 51 additions & 21 deletions

File tree

codex-rs/Cargo.lock

Lines changed: 8 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

codex-rs/Cargo.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ members = [
1616
"mcp-server",
1717
"mcp-types",
1818
"ollama",
19+
"process-hardening",
1920
"protocol",
2021
"protocol-ts",
2122
"rmcp-client",
@@ -49,10 +50,11 @@ codex-login = { path = "login" }
4950
codex-mcp-client = { path = "mcp-client" }
5051
codex-mcp-server = { path = "mcp-server" }
5152
codex-ollama = { path = "ollama" }
53+
codex-process-hardening = { path = "process-hardening" }
5254
codex-protocol = { path = "protocol" }
53-
codex-rmcp-client = { path = "rmcp-client" }
5455
codex-protocol-ts = { path = "protocol-ts" }
5556
codex-responses-api-proxy = { path = "responses-api-proxy" }
57+
codex-rmcp-client = { path = "rmcp-client" }
5658
codex-tui = { path = "tui" }
5759
codex-utils-readiness = { path = "utils/readiness" }
5860
core_test_support = { path = "core/tests/common" }
@@ -83,8 +85,8 @@ dirs = "6"
8385
dotenvy = "0.15.7"
8486
env-flags = "0.1.1"
8587
env_logger = "0.11.5"
86-
eventsource-stream = "0.2.3"
8788
escargot = "0.5"
89+
eventsource-stream = "0.2.3"
8890
futures = "0.3"
8991
icu_decimal = "2.0.0"
9092
icu_locale_core = "2.0.0"

codex-rs/cli/Cargo.toml

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ codex-core = { workspace = true }
2525
codex-exec = { workspace = true }
2626
codex-login = { workspace = true }
2727
codex-mcp-server = { workspace = true }
28+
codex-process-hardening = { workspace = true }
2829
codex-protocol = { workspace = true }
2930
codex-protocol-ts = { workspace = true }
3031
codex-responses-api-proxy = { workspace = true }
@@ -43,15 +44,6 @@ tokio = { workspace = true, features = [
4344
tracing = { workspace = true }
4445
tracing-subscriber = { workspace = true }
4546

46-
[target.'cfg(target_os = "linux")'.dependencies]
47-
libc = { workspace = true }
48-
49-
[target.'cfg(target_os = "android")'.dependencies]
50-
libc = { workspace = true }
51-
52-
[target.'cfg(target_os = "macos")'.dependencies]
53-
libc = { workspace = true }
54-
5547
[dev-dependencies]
5648
assert_cmd = { workspace = true }
5749
predicates = { workspace = true }

codex-rs/cli/src/main.rs

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@ use std::path::PathBuf;
2323
use supports_color::Stream;
2424

2525
mod mcp_cmd;
26-
mod pre_main_hardening;
2726

2827
use crate::mcp_cmd::McpCli;
2928
use crate::proto::ProtoCli;
@@ -213,14 +212,7 @@ fn pre_main_hardening() {
213212
};
214213

215214
if secure_mode == "1" {
216-
#[cfg(any(target_os = "linux", target_os = "android"))]
217-
crate::pre_main_hardening::pre_main_hardening_linux();
218-
219-
#[cfg(target_os = "macos")]
220-
crate::pre_main_hardening::pre_main_hardening_macos();
221-
222-
#[cfg(windows)]
223-
crate::pre_main_hardening::pre_main_hardening_windows();
215+
codex_process_hardening::pre_main_hardening();
224216
}
225217

226218
// Always clear this env var so child processes don't inherit it.
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
[package]
2+
edition = "2024"
3+
name = "codex-process-hardening"
4+
version = { workspace = true }
5+
6+
[lib]
7+
name = "codex_process_hardening"
8+
path = "src/lib.rs"
9+
10+
[lints]
11+
workspace = true
12+
13+
[dependencies]
14+
[target.'cfg(target_os = "linux")'.dependencies]
15+
libc = { workspace = true }
16+
17+
[target.'cfg(target_os = "android")'.dependencies]
18+
libc = { workspace = true }
19+
20+
[target.'cfg(target_os = "macos")'.dependencies]
21+
libc = { workspace = true }
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,19 @@
1+
/// This is designed to be called pre-main() (using `#[ctor::ctor]`) to perform
2+
/// various process hardening steps, such as
3+
/// - disabling core dumps
4+
/// - disabling ptrace attach on Linux and macOS.
5+
/// - removing dangerous environment variables such as LD_PRELOAD and DYLD_*
6+
pub fn pre_main_hardening() {
7+
#[cfg(any(target_os = "linux", target_os = "android"))]
8+
pre_main_hardening_linux();
9+
10+
#[cfg(target_os = "macos")]
11+
pre_main_hardening_macos();
12+
13+
#[cfg(windows)]
14+
pre_main_hardening_windows();
15+
}
16+
117
#[cfg(any(target_os = "linux", target_os = "android"))]
218
const PRCTL_FAILED_EXIT_CODE: i32 = 5;
319

0 commit comments

Comments
 (0)