FROM rust:1.70-slim AS builder

LABEL description="CVE-2025-59532 Codex CLI Research Environment"

# Install dependencies including kernel headers for Landlock support
RUN apt-get update && apt-get install -y \
    git \
    build-essential \
    pkg-config \
    libssl-dev \
    linux-headers-generic \
    && rm -rf /var/lib/apt/lists/*

# Set working directory
WORKDIR /codex

# Clone the Codex repository
RUN git clone https://github.com/openai/codex.git repo

# Create binaries directory
RUN mkdir -p /codex/binaries

# Build v0.38.0 (Vulnerable)
RUN cd /codex/repo && \
    git checkout -f rust-v0.38.0 && \
    cd codex-rs && \
    cargo build --release --bin codex 2>&1 && \
    cp target/release/codex /codex/binaries/codex-0.38.0 && \
    chmod +x /codex/binaries/codex-0.38.0 && \
    echo "✓ Built v0.38.0 (Vulnerable)"

# Build v0.39.0 (Patched)
RUN cd /codex/repo && \
    git checkout -f rust-v0.39.0 && \
    cd codex-rs && \
    cargo clean && \
    cargo build --release --bin codex 2>&1 && \
    cp target/release/codex /codex/binaries/codex-0.39.0 && \
    chmod +x /codex/binaries/codex-0.39.0 && \
    echo "✓ Built v0.39.0 (Patched)"

# Build v0.50.0 (Latest)
RUN cd /codex/repo && \
    git checkout -f rust-v0.50.0 && \
    cd codex-rs && \
    cargo clean && \
    cargo build --release --bin codex 2>&1 && \
    cp target/release/codex /codex/binaries/codex-0.50.0 && \
    chmod +x /codex/binaries/codex-0.50.0 && \
    echo "✓ Built v0.50.0 (Latest)"

# Clean up repo to save space
RUN rm -rf /codex/repo

# Create symlinks
RUN ln -sf /codex/binaries/codex-0.38.0 /usr/local/bin/codex38 && \
    ln -sf /codex/binaries/codex-0.39.0 /usr/local/bin/codex39 && \
    ln -sf /codex/binaries/codex-0.50.0 /usr/local/bin/codex50 && \
    ln -sf /codex/binaries/codex-0.50.0 /usr/local/bin/codex

# Copy scripts
COPY scripts/ /codex/scripts/
RUN chmod +x /codex/scripts/*.sh

# Set up entrypoint
COPY scripts/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Create workspace structure - /workspace/child is the actual workspace
RUN mkdir -p /workspace/child && chmod 777 /workspace/child

# Enable Landlock support (Linux kernel sandboxing)
RUN echo "kernel.landlock.syscall=1" >> /etc/sysctl.conf 2>/dev/null || true

# Set environment variables for better sandbox support
ENV RUST_LOG=warn
ENV RUST_BACKTRACE=1

WORKDIR /workspace/child

# Prevent volume mounting by creating a volume declaration
VOLUME /workspace

ENTRYPOINT ["/entrypoint.sh"]
CMD ["/bin/bash"]