codex: dispatch exec-server sandbox helper via argv0

Teach the standalone exec-server binary to run the Linux sandbox helper when it is re-execed with the codex-linux-sandbox argv0 alias. Point the exec-server sandbox transform at the current executable on Linux instead of requiring an env-provided helper path. Co-authored-by: Codex <noreply@openai.com>
2026-04-25 23:24:55 +00:00 · 2026-04-07 15:24:33 -07:00
parent 4e90a1a891
commit 3d5f1a4e56
5 changed files with 64 additions and 22 deletions
--- a/codex-rs/exec-server/tests/exec_process.rs
+++ b/codex-rs/exec-server/tests/exec_process.rs
@@ -235,7 +235,16 @@ fn platform_sandbox_type() -> SandboxType {
 }

 fn write_outside_workspace_sandbox(workspace_root: &std::path::Path) -> SandboxLaunchConfig {
-    let policy = SandboxPolicy::new_workspace_write_policy();
+    let mut policy = SandboxPolicy::new_workspace_write_policy();
+    if let SandboxPolicy::WorkspaceWrite {
+        exclude_tmpdir_env_var,
+        exclude_slash_tmp,
+        ..
+    } = &mut policy
+    {
+        *exclude_tmpdir_env_var = true;
+        *exclude_slash_tmp = true;
+    }
    SandboxLaunchConfig {
        sandbox: platform_sandbox_type(),
        policy: policy.clone(),
@@ -368,9 +377,7 @@ async fn exec_process_preserves_queued_events_before_subscribe(use_remote: bool)
    assert_exec_process_preserves_queued_events_before_subscribe(use_remote).await
 }

-#[test_case(false ; "local")]
-#[test_case(true ; "remote")]
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn exec_process_sandbox_denies_write_outside_workspace(use_remote: bool) -> Result<()> {
-    assert_exec_process_sandbox_denies_write_outside_workspace(use_remote).await
+async fn remote_exec_process_sandbox_denies_write_outside_workspace() -> Result<()> {
+    assert_exec_process_sandbox_denies_write_outside_workspace(/*use_remote*/ true).await
 }