exec-server: carry filesystem sandbox profiles (#18276)

## Why The exec-server still needs platform sandbox inputs, but the migration should preserve the `PermissionProfile` that produced them. Keeping only the derived legacy sandbox map would keep `SandboxPolicy` as the effective abstraction and would make full-disk vs. restricted profiles harder to preserve as the permissions stack starts round-tripping profiles. `PermissionProfile` entries can also be cwd-sensitive (`:cwd`, `:project_roots`, relative globs), so the exec-server must carry the request sandbox cwd instead of resolving those entries against the long-lived exec-server process cwd. ## What changed `FileSystemSandboxContext` now carries `permissions: PermissionProfile` plus an optional `cwd`: - removed `sandboxPolicy`, `sandboxPolicyCwd`, `fileSystemSandboxPolicy`, and `additionalPermissions` - added `permissions` and `cwd` - kept the platform knobs `windowsSandboxLevel`, `windowsSandboxPrivateDesktop`, and `useLegacyLandlock` Core turn and apply-patch paths populate the context from the active runtime permissions and request cwd. Exec-server derives platform `SandboxPolicy`/`FileSystemSandboxPolicy` at the filesystem boundary, adds helper runtime reads there, and rejects cwd-dependent profiles that arrive without a cwd. The legacy `FileSystemSandboxContext::new(SandboxPolicy)` constructor now preserves the old workspace-write conversion semantics for compatibility tests/callers. ## Verification - `cargo test -p codex-exec-server` - `cargo test -p codex-exec-server sandbox_cwd -- --nocapture` - `cargo test -p codex-exec-server sandbox_context_new_preserves_legacy_workspace_write_read_only_subpaths -- --nocapture` - `cargo test -p codex-core --lib file_system_sandbox_context_uses_active_attempt -- --nocapture`
2026-06-01 19:02:59 +00:00 · 2026-04-21 20:22:28 -07:00
parent 564860e8bd
commit 36f8bb4ffa
6 changed files with 345 additions and 363 deletions
--- a/codex-rs/exec-server/src/file_system.rs
+++ b/codex-rs/exec-server/src/file_system.rs
@@ -1,7 +1,9 @@
 use async_trait::async_trait;
 use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::FileSystemSandboxKind;
 use codex_protocol::permissions::FileSystemSandboxPolicy;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use tokio::io;
@@ -41,37 +43,65 @@ pub struct ReadDirectoryEntry {
 #[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct FileSystemSandboxContext {
-    pub sandbox_policy: SandboxPolicy,
+    pub permissions: PermissionProfile,
    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub sandbox_policy_cwd: Option<AbsolutePathBuf>,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub file_system_sandbox_policy: Option<FileSystemSandboxPolicy>,
+    pub cwd: Option<AbsolutePathBuf>,
    pub windows_sandbox_level: WindowsSandboxLevel,
    #[serde(default)]
    pub windows_sandbox_private_desktop: bool,
    #[serde(default)]
    pub use_legacy_landlock: bool,
-    pub additional_permissions: Option<PermissionProfile>,
 }

 impl FileSystemSandboxContext {
    pub fn new(sandbox_policy: SandboxPolicy) -> Self {
+        if let Ok(cwd) = AbsolutePathBuf::current_dir() {
+            Self::from_legacy_sandbox_policy(sandbox_policy, cwd)
+        } else {
+            let permissions = PermissionProfile::from_runtime_permissions(
+                &FileSystemSandboxPolicy::from(&sandbox_policy),
+                NetworkSandboxPolicy::from(&sandbox_policy),
+            );
+            Self::from_permission_profile(permissions)
+        }
+    }
+
+    pub fn from_legacy_sandbox_policy(sandbox_policy: SandboxPolicy, cwd: AbsolutePathBuf) -> Self {
+        let permissions = PermissionProfile::from_runtime_permissions(
+            &FileSystemSandboxPolicy::from_legacy_sandbox_policy(&sandbox_policy, cwd.as_path()),
+            NetworkSandboxPolicy::from(&sandbox_policy),
+        );
+        Self::from_permission_profile_with_cwd(permissions, cwd)
+    }
+
+    pub fn from_permission_profile(permissions: PermissionProfile) -> Self {
+        Self::from_permissions_and_cwd(permissions, /*cwd*/ None)
+    }
+
+    pub fn from_permission_profile_with_cwd(
+        permissions: PermissionProfile,
+        cwd: AbsolutePathBuf,
+    ) -> Self {
+        Self::from_permissions_and_cwd(permissions, Some(cwd))
+    }
+
+    fn from_permissions_and_cwd(
+        permissions: PermissionProfile,
+        cwd: Option<AbsolutePathBuf>,
+    ) -> Self {
        Self {
-            sandbox_policy,
-            sandbox_policy_cwd: None,
-            file_system_sandbox_policy: None,
+            permissions,
+            cwd,
            windows_sandbox_level: WindowsSandboxLevel::Disabled,
            windows_sandbox_private_desktop: false,
            use_legacy_landlock: false,
-            additional_permissions: None,
        }
    }

    pub fn should_run_in_sandbox(&self) -> bool {
-        matches!(
-            self.sandbox_policy,
-            SandboxPolicy::ReadOnly { .. } | SandboxPolicy::WorkspaceWrite { .. }
-        )
+        let file_system_policy = self.permissions.file_system_sandbox_policy();
+        matches!(file_system_policy.kind, FileSystemSandboxKind::Restricted)
+            && !file_system_policy.has_full_disk_write_access()
    }
 }