fix(codex-code): don't pre-disable sudo on codex-review job#80
Conversation
The codex-review job ran Harden-Runner with `disable-sudo-and-containers: true` (added in #56 / v2.1.0, applied uniformly to all 22 instances). But openai/codex-action manages sudo itself: it runs `sudo chmod 444` / `sudo chown root` to lock its responses-api-proxy server-info file, then irreversibly drops sudo via `safety-strategy: drop-sudo` before the untrusted Codex CLI runs. With sudo pre-disabled by Harden-Runner, that chmod fails with "sudo: a password is required" and the action exits 1 before any review runs. This broke every caller pinned to v2.1.0+ whenever a real (non-docs) PR actually invoked Codex — e.g. praetorian-inc/augustus#135, praetorian-inc/pius#72. Fix: set `disable-sudo-and-containers: false` on the codex-review job only and document why. `safety-strategy: drop-sudo` already provides the equivalent secret-protection guarantee (removes sudo before untrusted code runs). The post-feedback job (no codex-action) keeps `disable-sudo-and-containers: true`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 33 minutes and 40 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Gemini review skipped — non-code PR (only changed files matching |
|
Claude review skipped — non-code PR (only changed files matching |
|
Codex review skipped — non-code PR (only changed files matching |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9220579048
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # guarantee (blocks reading OPENAI_API_KEY via /proc/*/environ). Only trusted | ||
| # first-party steps run while sudo exists; Codex runs only after it's dropped. | ||
| # The post-feedback job (no codex-action) keeps disable-sudo-and-containers. | ||
| disable-sudo-and-containers: false |
There was a problem hiding this comment.
Keep container access disabled for Codex
In the default codex-review path, this turns off the combined Harden-Runner control for both sudo and containers, but openai/codex-action's drop-sudo only removes the runner user's sudo/admin membership; it does not remove Docker/containerd socket access. StepSecurity documents disable-sudo-and-containers as the mitigation that removes Docker/containerd access because a runner user with Docker access can start a privileged container and mount the host filesystem to regain root. A same-repo PR that prompt-injects Codex into invoking Docker can therefore bypass the intended drop-sudo/read-only protection and read host files or process secrets before the review output is posted, so this job needs a way to preserve the container lockdown rather than disabling the combined control entirely.
Useful? React with 👍 / 👎.
Verification (end-to-end) ✅This PR only touches Result (run 26695306474):
Log evidence: the (The |
…review Addresses review feedback on #80: re-enabling sudo via `disable-sudo-and-containers: false` (needed because codex-action chmod/chown- locks its proxy server-info file then drops sudo itself) ALSO re-enabled container access, because Harden-Runner has no container-only control and codex-action's drop-sudo strips the runner's sudo/admin group but not its `docker` group. That reopened CVE-2025-32955: a prompt-injected Codex could `docker run --privileged -v /:/host` to regain root before review output posts. Fix: add a dedicated step that stops+masks docker/containerd and removes the docker socket, running while sudo is still available and BEFORE Codex executes. After codex-action drops sudo, Codex has neither sudo nor a container runtime — restoring the container half of the lockdown without breaking the sudo the action requires (all codex-action versions still need it). The step logs evidence (socket removed, daemon unreachable) before the review runs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@chatgpt-codex-connector confirmed accurate — thanks, this was a real regression, fixed in 438ecea. Verified the chain against primary sources:
Fix: keep Evidence (clean passing run 26695884656, with the step in place before
|
|
To use Codex here, create an environment for this repo. |
Problem
Every
Codex PR Reviewcheck that actually runs (i.e. on a real code PR, not a docs-only one preflight skips) has been failing org-wide:Examples: praetorian-inc/augustus#135, praetorian-inc/pius#72.
Root cause
The
codex-reviewjob ran Harden-Runner withdisable-sudo-and-containers: true— added in #56 (v2.1.0) and applied uniformly to all 22 Harden-Runner instances as a CVE-2025-32955 baseline. Butopenai/codex-actionmanages sudo itself. Itsaction.yml:sudo chmod 444 $SERVER_INFO_FILE/sudo chown root $SERVER_INFO_FILE— locks the responses-api-proxy server-info file as rootsudo sysctl …(userns) — "runs before drop-sudo"safety-strategy: drop-sudoThe action requires passwordless sudo at job start so it can lock resources and then drop it. Harden-Runner's
disable-sudo-and-containers: truekills sudo first, so step 1'ssudo chmodfails → exit 1 before any review happens.This is the one job (of the 22) whose action self-manages sudo, so the blanket #56 change broke it.
main's green codex checks are false-green — they're preflight skips (^\.github/is inSKIP_RE); the codex job hasn't actually executed since.Fix
Set
disable-sudo-and-containers: falseon the codex-review job only, with an inline comment documenting the trap. Security posture is preserved:safety-strategy: drop-sudoalready gives the equivalent guarantee (irreversibly removes sudo before untrusted Codex runs — blocks readingOPENAI_API_KEYvia/proc/*/environ).persist-credentials:false, the memory-only auth pre-fetch, proxy setup). Codex runs only after drop-sudo.disable-sudo-and-containers: true.Verification
python3 -c yaml.safe_load+actionlintclean on the changed file.codex-reviewjob runs past the sudo lockdown with this change (see linked verification run in a comment below).Rollout note
Fixing this reusable does not unblock callers by itself — they pin
@7c1302b(v2.1.0). After this merges and auto-tags, caller pins must be bumped to the new SHA (ENG-3079 sweep). Do not merge #44 (remove.github/from SKIP_RE) before this lands, or every workflow-touching PR would start hitting the bug.🤖 Generated with Claude Code