Allow access of `/dev/urandom` from bubblewrap sandbox

[gyf1214]

What version of Codex CLI is running?

built from main (a1b8e34)

What subscription do you have?

Plus

Which model were you using?

gpt-5.3-codex

What platform is your computer?

Linux 4.18.0-553.77.1.el8_10.x86_64 x86_64 x86_64

What terminal emulator and version are you using (if applicable)?

No response

What issue are you seeing?

I'm trying the experimental feature bubblewrap as the sandbox option. This is because landlock is not available on my kernel. So far this feature looks good to me with some slight issues.

When a sandbox command needs to read from /dev/urandom, it fails.

Some commands (like git) requires secure random number from that device.

I'm building codex directly from main.

What steps can reproduce the bug?

Set the following in config:

features.use_linux_sandbox_bwrap = true
sandbox_mode = "workspace-write"
approval_policy = "never"

Tell agent:

try to read from `/dev/urandom`

Agent ran:

head -c 16 /dev/urandom | od -An -tx1

Command failed with:

head: cannot open '/dev/urandom' for reading: Permission denied

What is the expected behavior?

Agent successfully reads from secure random.

Additional information

The error is weird because root is bind read-only while it looks like reading /dev/urandom requires full permission.

I read through the current sandbox code (linux-sandbox/src/bwrap.rs). Currently it only adds --dev-bind /dev/null /dev/null. Consider to add other bindings (/dev/urandom, /dev/zero, etc.) or maybe use bubblewrap's --dev /dev option (not sure if it works with read-only root binding though).