Address exec-server sandbox review feedback

Co-authored-by: Codex <noreply@openai.com>
2026-04-26 15:45:02 +00:00 · 2026-04-07 10:19:15 -07:00
parent 21ae6e9b3b
commit 2fb1b2de43
13 changed files with 212 additions and 203 deletions
--- a/codex-rs/exec-server/tests/common/exec_server.rs
+++ b/codex-rs/exec-server/tests/common/exec_server.rs
@@ -44,11 +44,6 @@ pub(crate) async fn exec_server() -> anyhow::Result<ExecServerHarness> {
    let binary = cargo_bin("codex-exec-server")?;
    let mut child = Command::new(binary);
    child.args(["--listen", "ws://127.0.0.1:0"]);
-    if cfg!(target_os = "linux")
-        && let Ok(sandbox_binary) = cargo_bin("codex-linux-sandbox")
-    {
-        child.env("CODEX_LINUX_SANDBOX_EXE", sandbox_binary);
-    }
    child.stdin(Stdio::null());
    child.stdout(Stdio::piped());
    child.stderr(Stdio::inherit());
--- a/codex-rs/exec-server/tests/exec_process.rs
+++ b/codex-rs/exec-server/tests/exec_process.rs
@@ -12,7 +12,15 @@ use codex_exec_server::ExecProcess;
 use codex_exec_server::ProcessId;
 use codex_exec_server::ReadResponse;
 use codex_exec_server::StartedExecProcess;
+use codex_protocol::config_types::WindowsSandboxLevel;
+use codex_protocol::permissions::FileSystemSandboxPolicy;
+use codex_protocol::permissions::NetworkSandboxPolicy;
+use codex_protocol::protocol::SandboxPolicy;
+use codex_sandboxing::SandboxLaunchConfig;
+use codex_sandboxing::SandboxLaunchMode;
+use codex_sandboxing::SandboxType;
 use pretty_assertions::assert_eq;
+use tempfile::TempDir;
 use test_case::test_case;
 use tokio::sync::watch;
 use tokio::time::Duration;
@@ -213,6 +221,76 @@ async fn assert_exec_process_preserves_queued_events_before_subscribe(
    Ok(())
 }

+fn platform_sandbox_type() -> SandboxType {
+    if cfg!(target_os = "macos") {
+        SandboxType::MacosSeatbelt
+    } else if cfg!(target_os = "linux") {
+        SandboxType::LinuxSeccomp
+    } else {
+        unreachable!("unix exec-server tests only run on macOS and Linux");
+    }
+}
+
+fn write_outside_workspace_sandbox(workspace_root: &std::path::Path) -> SandboxLaunchConfig {
+    let policy = SandboxPolicy::new_workspace_write_policy();
+    SandboxLaunchConfig {
+        mode: SandboxLaunchMode::Require,
+        policy: policy.clone(),
+        file_system_policy: FileSystemSandboxPolicy::from_legacy_sandbox_policy(
+            &policy,
+            workspace_root,
+        ),
+        network_policy: NetworkSandboxPolicy::from(&policy),
+        sandbox_policy_cwd: workspace_root.to_path_buf(),
+        additional_permissions: None,
+        enforce_managed_network: false,
+        windows_sandbox_level: WindowsSandboxLevel::Disabled,
+        windows_sandbox_private_desktop: false,
+        use_legacy_landlock: false,
+    }
+}
+
+async fn assert_exec_process_sandbox_denies_write_outside_workspace(
+    use_remote: bool,
+) -> Result<()> {
+    let temp_dir = TempDir::new()?;
+    let workspace_root = temp_dir.path().join("workspace");
+    std::fs::create_dir(&workspace_root)?;
+    let blocked_path = temp_dir.path().join("blocked.txt");
+    let context = create_process_context(use_remote).await?;
+    let session = context
+        .backend
+        .start(ExecParams {
+            process_id: ProcessId::from("proc-sandbox-denied"),
+            argv: vec![
+                "/usr/bin/python3".to_string(),
+                "-c".to_string(),
+                "from pathlib import Path; import sys; Path(sys.argv[1]).write_text('blocked')"
+                    .to_string(),
+                blocked_path.to_string_lossy().into_owned(),
+            ],
+            cwd: workspace_root.clone(),
+            env: Default::default(),
+            tty: false,
+            arg0: None,
+            sandbox: Some(write_outside_workspace_sandbox(&workspace_root)),
+        })
+        .await?;
+
+    assert_eq!(session.sandbox_type, platform_sandbox_type());
+    let StartedExecProcess { process, .. } = session;
+    let wake_rx = process.subscribe_wake();
+    let (_output, exit_code, closed) = collect_process_output_from_reads(process, wake_rx).await?;
+
+    assert_ne!(exit_code, Some(0));
+    assert!(closed);
+    assert!(
+        !blocked_path.exists(),
+        "sandboxed process unexpectedly wrote outside the workspace root"
+    );
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn remote_exec_process_reports_transport_disconnect() -> Result<()> {
    let mut context = create_process_context(/*use_remote*/ true).await?;
@@ -284,3 +362,10 @@ async fn exec_process_write_then_read(use_remote: bool) -> Result<()> {
 async fn exec_process_preserves_queued_events_before_subscribe(use_remote: bool) -> Result<()> {
    assert_exec_process_preserves_queued_events_before_subscribe(use_remote).await
 }
+
+#[test_case(false ; "local")]
+#[test_case(true ; "remote")]
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn exec_process_sandbox_denies_write_outside_workspace(use_remote: bool) -> Result<()> {
+    assert_exec_process_sandbox_denies_write_outside_workspace(use_remote).await
+}
--- a/codex-rs/exec-server/tests/process.rs
+++ b/codex-rs/exec-server/tests/process.rs
@@ -7,7 +7,6 @@ use codex_app_server_protocol::JSONRPCResponse;
 use codex_exec_server::ExecResponse;
 use codex_exec_server::InitializeParams;
 use codex_exec_server::ProcessId;
-use codex_sandboxing::SandboxType;
 use common::exec_server::exec_server;
 use pretty_assertions::assert_eq;

@@ -38,16 +37,6 @@ async fn initialize_server(
    Ok(())
 }

-fn sandbox_wire_test_mode() -> (&'static str, SandboxType) {
-    if cfg!(target_os = "macos") {
-        ("require", SandboxType::MacosSeatbelt)
-    } else if cfg!(target_os = "linux") {
-        ("disabled", SandboxType::None)
-    } else {
-        unreachable!("unix exec-server tests only run on macOS and Linux");
-    }
-}
-
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn exec_server_starts_process_over_websocket() -> anyhow::Result<()> {
    let mut server = exec_server().await?;
@@ -83,68 +72,6 @@ async fn exec_server_starts_process_over_websocket() -> anyhow::Result<()> {
        process_start_response,
        ExecResponse {
            process_id: ProcessId::from("proc-1"),
-            sandbox_type: SandboxType::None,
-        }
-    );
-
-    server.shutdown().await?;
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn exec_server_starts_sandboxed_process_over_websocket() -> anyhow::Result<()> {
-    let mut server = exec_server().await?;
-    initialize_server(&mut server).await?;
-
-    let cwd = std::env::current_dir()?;
-    let (sandbox_mode, expected_sandbox_type) = sandbox_wire_test_mode();
-    let process_start_id = server
-        .send_request(
-            "process/start",
-            serde_json::json!({
-                "processId": "proc-sandbox",
-                "argv": ["true"],
-                "cwd": cwd,
-                "env": {},
-                "tty": false,
-                "arg0": null,
-                "sandbox": {
-                    "mode": sandbox_mode,
-                    "policy": {
-                        "type": "danger-full-access"
-                    },
-                    "fileSystemPolicy": {
-                        "kind": "unrestricted",
-                        "entries": []
-                    },
-                    "networkPolicy": "enabled",
-                    "sandboxPolicyCwd": cwd,
-                    "enforceManagedNetwork": false,
-                    "windowsSandboxLevel": "disabled",
-                    "windowsSandboxPrivateDesktop": false,
-                    "useLegacyLandlock": false
-                }
-            }),
-        )
-        .await?;
-    let response = server
-        .wait_for_event(|event| {
-            matches!(
-                event,
-                JSONRPCMessage::Response(JSONRPCResponse { id, .. }) if id == &process_start_id
-            )
-        })
-        .await?;
-    let JSONRPCMessage::Response(JSONRPCResponse { id, result }) = response else {
-        panic!("expected process/start response");
-    };
-    assert_eq!(id, process_start_id);
-    let process_start_response: ExecResponse = serde_json::from_value(result)?;
-    assert_eq!(
-        process_start_response,
-        ExecResponse {
-            process_id: ProcessId::from("proc-sandbox"),
-            sandbox_type: expected_sandbox_type,
        }
    );