linux-sandbox: plumb split sandbox policies through helper (#13449)

## Why

The Linux sandbox helper still only accepted the legacy `SandboxPolicy`
payload.

That meant the runtime could compute split filesystem and network
policies, but the helper would immediately collapse them back to the
compatibility projection before applying seccomp or staging the
bubblewrap inner command.

## What changed

- added hidden `--file-system-sandbox-policy` and
`--network-sandbox-policy` flags alongside the legacy `--sandbox-policy`
flag so the helper can migrate incrementally
- updated the core-side Landlock wrapper to pass the split policies
explicitly when launching `codex-linux-sandbox`
- added helper-side resolution logic that accepts either the legacy
policy alone or a complete split-policy pair and normalizes that into
one effective configuration
- switched Linux helper network decisions to use `NetworkSandboxPolicy`
directly
- added `FromStr` support for the split policy types so the helper can
parse them from CLI JSON

## Verification

- added helper coverage in `linux-sandbox/src/linux_run_main_tests.rs`
for split-policy flags and policy resolution
- added CLI argument coverage in `core/src/landlock.rs`
- verified the current PR state with `just clippy`




---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/13449).
* #13453
* #13452
* #13451
* __->__ #13449
* #13448
* #13445
* #13440
* #13439

---------

Co-authored-by: viyatb-oai <viyatb@openai.com>

codex-rs/linux-sandbox/src/linux_run_main_tests.rs

@@ -1,7 +1,13 @@
 #[cfg(test)]
 use super::*;
 #[cfg(test)]
+use codex_protocol::protocol::FileSystemSandboxPolicy;
+#[cfg(test)]
+use codex_protocol::protocol::NetworkSandboxPolicy;
+#[cfg(test)]
 use codex_protocol::protocol::SandboxPolicy;
+#[cfg(test)]
+use pretty_assertions::assert_eq;
 
 #[test]
 fn detects_proc_mount_invalid_argument_failure() {
@@ -91,42 +97,66 @@ fn inserts_unshare_net_when_proxy_only_network_mode_requested() {
 
 #[test]
 fn proxy_only_mode_takes_precedence_over_full_network_policy() {
-    let mode = bwrap_network_mode(&SandboxPolicy::DangerFullAccess, true);
+    let mode = bwrap_network_mode(NetworkSandboxPolicy::Enabled, true);
     assert_eq!(mode, BwrapNetworkMode::ProxyOnly);
 }
 
 #[test]
 fn managed_proxy_preflight_argv_is_wrapped_for_full_access_policy() {
-    let mode = bwrap_network_mode(&SandboxPolicy::DangerFullAccess, true);
+    let mode = bwrap_network_mode(NetworkSandboxPolicy::Enabled, true);
     let argv = build_preflight_bwrap_argv(Path::new("/"), &SandboxPolicy::DangerFullAccess, mode);
     assert!(argv.iter().any(|arg| arg == "--"));
 }
 
 #[test]
 fn managed_proxy_inner_command_includes_route_spec() {
-    let args = build_inner_seccomp_command(
-        Path::new("/tmp"),
-        &SandboxPolicy::new_read_only_policy(),
-        true,
-        true,
-        Some("{\"routes\":[]}".to_string()),
-        vec!["/bin/true".to_string()],
-    );
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
+    let args = build_inner_seccomp_command(InnerSeccompCommandArgs {
+        sandbox_policy_cwd: Path::new("/tmp"),
+        sandbox_policy: &sandbox_policy,
+        file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
+        network_sandbox_policy: NetworkSandboxPolicy::Restricted,
+        use_bwrap_sandbox: true,
+        allow_network_for_proxy: true,
+        proxy_route_spec: Some("{\"routes\":[]}".to_string()),
+        command: vec!["/bin/true".to_string()],
+    });
 
     assert!(args.iter().any(|arg| arg == "--proxy-route-spec"));
     assert!(args.iter().any(|arg| arg == "{\"routes\":[]}"));
 }
 
+#[test]
+fn inner_command_includes_split_policy_flags() {
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
+    let args = build_inner_seccomp_command(InnerSeccompCommandArgs {
+        sandbox_policy_cwd: Path::new("/tmp"),
+        sandbox_policy: &sandbox_policy,
+        file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
+        network_sandbox_policy: NetworkSandboxPolicy::Restricted,
+        use_bwrap_sandbox: true,
+        allow_network_for_proxy: false,
+        proxy_route_spec: None,
+        command: vec!["/bin/true".to_string()],
+    });
+
+    assert!(args.iter().any(|arg| arg == "--file-system-sandbox-policy"));
+    assert!(args.iter().any(|arg| arg == "--network-sandbox-policy"));
+}
+
 #[test]
 fn non_managed_inner_command_omits_route_spec() {
-    let args = build_inner_seccomp_command(
-        Path::new("/tmp"),
-        &SandboxPolicy::new_read_only_policy(),
-        true,
-        false,
-        None,
-        vec!["/bin/true".to_string()],
-    );
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
+    let args = build_inner_seccomp_command(InnerSeccompCommandArgs {
+        sandbox_policy_cwd: Path::new("/tmp"),
+        sandbox_policy: &sandbox_policy,
+        file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
+        network_sandbox_policy: NetworkSandboxPolicy::Restricted,
+        use_bwrap_sandbox: true,
+        allow_network_for_proxy: false,
+        proxy_route_spec: None,
+        command: vec!["/bin/true".to_string()],
+    });
 
     assert!(!args.iter().any(|arg| arg == "--proxy-route-spec"));
 }
@@ -134,15 +164,71 @@ fn non_managed_inner_command_omits_route_spec() {
 #[test]
 fn managed_proxy_inner_command_requires_route_spec() {
     let result = std::panic::catch_unwind(|| {
-        build_inner_seccomp_command(
+        let sandbox_policy = SandboxPolicy::new_read_only_policy();
+        build_inner_seccomp_command(InnerSeccompCommandArgs {
+            sandbox_policy_cwd: Path::new("/tmp"),
+            sandbox_policy: &sandbox_policy,
+            file_system_sandbox_policy: &FileSystemSandboxPolicy::from(&sandbox_policy),
+            network_sandbox_policy: NetworkSandboxPolicy::Restricted,
+            use_bwrap_sandbox: true,
+            allow_network_for_proxy: true,
+            proxy_route_spec: None,
+            command: vec!["/bin/true".to_string()],
+        })
+    });
+    assert!(result.is_err());
+}
+
+#[test]
+fn resolve_sandbox_policies_derives_split_policies_from_legacy_policy() {
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
+
+    let resolved =
+        resolve_sandbox_policies(Path::new("/tmp"), Some(sandbox_policy.clone()), None, None);
+
+    assert_eq!(resolved.sandbox_policy, sandbox_policy);
+    assert_eq!(
+        resolved.file_system_sandbox_policy,
+        FileSystemSandboxPolicy::from(&sandbox_policy)
+    );
+    assert_eq!(
+        resolved.network_sandbox_policy,
+        NetworkSandboxPolicy::from(&sandbox_policy)
+    );
+}
+
+#[test]
+fn resolve_sandbox_policies_derives_legacy_policy_from_split_policies() {
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
+    let file_system_sandbox_policy = FileSystemSandboxPolicy::from(&sandbox_policy);
+    let network_sandbox_policy = NetworkSandboxPolicy::from(&sandbox_policy);
+
+    let resolved = resolve_sandbox_policies(
+        Path::new("/tmp"),
+        None,
+        Some(file_system_sandbox_policy.clone()),
+        Some(network_sandbox_policy),
+    );
+
+    assert_eq!(resolved.sandbox_policy, sandbox_policy);
+    assert_eq!(
+        resolved.file_system_sandbox_policy,
+        file_system_sandbox_policy
+    );
+    assert_eq!(resolved.network_sandbox_policy, network_sandbox_policy);
+}
+
+#[test]
+fn resolve_sandbox_policies_rejects_partial_split_policies() {
+    let result = std::panic::catch_unwind(|| {
+        resolve_sandbox_policies(
             Path::new("/tmp"),
-            &SandboxPolicy::new_read_only_policy(),
-            true,
-            true,
+            Some(SandboxPolicy::new_read_only_policy()),
+            Some(FileSystemSandboxPolicy::default()),
             None,
-            vec!["/bin/true".to_string()],
         )
     });
+
     assert!(result.is_err());
 }