core(sandbox): fix openpty test

2026-04-26 23:55:25 +00:00 · 2025-12-03 09:54:35 -08:00
parent 4785344c9c
commit 2d50c0a865
4 changed files with 49 additions and 46 deletions
--- a/codex-rs/exec/tests/suite/sandbox.rs
+++ b/codex-rs/exec/tests/suite/sandbox.rs
@@ -109,45 +109,6 @@ if __name__ == '__main__':
    assert!(status.success(), "python exited with {status:?}");
 }

-#[tokio::test]
-async fn python_getpwuid_works_under_sandbox() {
-    core_test_support::skip_if_sandbox!();
-
-    if std::process::Command::new("python3")
-        .arg("--version")
-        .status()
-        .is_err()
-    {
-        eprintln!("python3 not found in PATH, skipping test.");
-        return;
-    }
-
-    let policy = SandboxPolicy::ReadOnly;
-    let command_cwd = std::env::current_dir().expect("should be able to get current dir");
-    let sandbox_cwd = command_cwd.clone();
-
-    let mut child = spawn_command_under_sandbox(
-        vec![
-            "python3".to_string(),
-            "-c".to_string(),
-            "import pwd, os; print(pwd.getpwuid(os.getuid()))".to_string(),
-        ],
-        command_cwd,
-        &policy,
-        sandbox_cwd.as_path(),
-        StdioPolicy::RedirectForShellTool,
-        HashMap::new(),
-    )
-    .await
-    .expect("should be able to spawn python under sandbox");
-
-    let status = child
-        .wait()
-        .await
-        .expect("should be able to wait for child process");
-    assert!(status.success(), "python exited with {status:?}");
-}
-
 #[tokio::test]
 async fn sandbox_distinguishes_command_and_policy_cwds() {
    core_test_support::skip_if_sandbox!();
@@ -315,6 +276,45 @@ async fn allow_unix_socketpair_recvfrom() {
    .expect("should be able to reexec");
 }

+#[tokio::test]
+async fn openpty_works_under_seatbelt() {
+    core_test_support::skip_if_sandbox!();
+    if which::which("python3").is_err() {
+        eprintln!("python3 not found in PATH, skipping test.");
+        return;
+    }
+
+    let policy = SandboxPolicy::ReadOnly;
+    let command_cwd = std::env::current_dir().expect("getcwd");
+    let sandbox_cwd = command_cwd.clone();
+
+    let mut child = spawn_command_under_sandbox(
+        vec![
+            "python3".to_string(),
+            "-c".to_string(),
+            r#"import os
+
+master, slave = os.openpty()
+os.write(slave, b"ping")
+assert os.read(master, 4) == b"ping""#
+                .to_string(),
+        ],
+        command_cwd,
+        &policy,
+        sandbox_cwd.as_path(),
+        StdioPolicy::RedirectForShellTool,
+        HashMap::new(),
+    )
+    .await
+    .expect("should be able to spawn python under sandbox");
+
+    let status = child
+        .wait()
+        .await
+        .expect("should be able to wait for child process");
+    assert!(status.success(), "python exited with {status:?}");
+}
+
 const IN_SANDBOX_ENV_VAR: &str = "IN_SANDBOX";

 #[expect(clippy::expect_used)]