pub async fn spawn_command_under_linux_sandbox<P>(
codex_linux_sandbox_exe: P,
command: Vec<String>,
sandbox_policy: &SandboxPolicy,
cwd: PathBuf,
stdio_policy: StdioPolicy,
env: HashMap<String, String>,
) -> Result<Child>Expand description
Spawn a shell tool command under the Linux Landlock+seccomp sandbox helper (codex-linux-sandbox).
Unlike macOS Seatbelt where we directly embed the policy text, the Linux
helper accepts a list of --sandbox-permission/-s flags mirroring the
public CLI. We convert the internal SandboxPolicy representation into
the equivalent CLI options.