fix(network-proxy): add unix socket allow-all and update seatbelt rules (#11368)

## Summary Adds support for a Unix socket escape hatch so we can bypass socket allowlisting when explicitly enabled. ## Description * added a new flag, `network.dangerously_allow_all_unix_sockets` as an explicit escape hatch * In codex-network-proxy, enabling that flag now allows any absolute Unix socket path from x-unix-socket instead of requiring each path to be explicitly allowlisted. Relative paths are still rejected. * updated the macOS seatbelt path in core so it enforces the same Unix socket behavior: * allowlisted sockets generate explicit network* subpath rules * allow-all generates a broad network* (subpath "/") rule --------- Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
2026-04-29 00:55:38 +00:00 · 2026-02-20 10:56:57 -08:00
parent 73fd939296
commit 28c0089060
19 changed files with 553 additions and 18 deletions
--- a/codex-rs/network-proxy/src/proxy.rs
+++ b/codex-rs/network-proxy/src/proxy.rs
@@ -206,6 +206,10 @@ impl NetworkProxyBuilder {
            socks_addr,
            socks_enabled: current_cfg.network.enable_socks5,
            allow_local_binding: current_cfg.network.allow_local_binding,
+            allow_unix_sockets: current_cfg.network.allow_unix_sockets.clone(),
+            dangerously_allow_all_unix_sockets: current_cfg
+                .network
+                .dangerously_allow_all_unix_sockets,
            admin_addr,
            reserved_listeners,
            policy_decider: self.policy_decider,
@@ -240,6 +244,8 @@ pub struct NetworkProxy {
    socks_addr: SocketAddr,
    socks_enabled: bool,
    allow_local_binding: bool,
+    allow_unix_sockets: Vec<String>,
+    dangerously_allow_all_unix_sockets: bool,
    admin_addr: SocketAddr,
    reserved_listeners: Option<Arc<ReservedListeners>>,
    policy_decider: Option<Arc<dyn NetworkPolicyDecider>>,
@@ -419,6 +425,18 @@ impl NetworkProxy {
        self.admin_addr
    }

+    pub fn allow_local_binding(&self) -> bool {
+        self.allow_local_binding
+    }
+
+    pub fn allow_unix_sockets(&self) -> &[String] {
+        &self.allow_unix_sockets
+    }
+
+    pub fn dangerously_allow_all_unix_sockets(&self) -> bool {
+        self.dangerously_allow_all_unix_sockets
+    }
+
    pub fn apply_to_env(&self, env: &mut HashMap<String, String>) {
        // Enforce proxying for child processes. We intentionally override existing values so
        // command-level environment cannot bypass the managed proxy endpoint.
@@ -441,7 +459,9 @@ impl NetworkProxy {
        ensure_rustls_crypto_provider();

        if !unix_socket_permissions_supported() {
-            warn!("allowUnixSockets is macOS-only; requests will be rejected on this platform");
+            warn!(
+                "allowUnixSockets and dangerouslyAllowAllUnixSockets are macOS-only; requests will be rejected on this platform"
+            );
        }

        let reserved_listeners = self.reserved_listeners.as_ref();