From 43f9300564b64e07ca148a64dfb08e837a10cb50 Mon Sep 17 00:00:00 2001 From: viyatb-oai Date: Mon, 13 Apr 2026 18:06:24 -0700 Subject: [PATCH] test: pin sandbox denial parity Co-authored-by: Codex noreply@openai.com --- codex-rs/sandboxing/src/violation_tests.rs | 50 ++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/codex-rs/sandboxing/src/violation_tests.rs b/codex-rs/sandboxing/src/violation_tests.rs index f0ad3894b4..68b91e2037 100644 --- a/codex-rs/sandboxing/src/violation_tests.rs +++ b/codex-rs/sandboxing/src/violation_tests.rs @@ -22,6 +22,56 @@ fn make_exec_output( } } +#[test] +fn preserves_legacy_boolean_denial_keywords() { + for keyword in [ + "operation not permitted", + "permission denied", + "read-only file system", + "seccomp", + "sandbox", + "landlock", + "failed to write file", + ] { + let output = make_exec_output(/*exit_code*/ 1, "", keyword, ""); + + assert_eq!( + is_likely_sandbox_denied(SandboxType::LinuxSeccomp, &output), + true, + "{keyword}" + ); + } +} + +#[test] +fn preserves_legacy_boolean_denial_ordering() { + let quick_reject_without_keyword = + make_exec_output(/*exit_code*/ 127, "", "command not found", ""); + let quick_reject_with_keyword = + make_exec_output(/*exit_code*/ 127, "", "Permission denied", ""); + let zero_exit_with_keyword = + make_exec_output(/*exit_code*/ 0, "", "Operation not permitted", ""); + let non_sandbox_with_keyword = + make_exec_output(/*exit_code*/ 1, "", "Operation not permitted", ""); + + assert!(!is_likely_sandbox_denied( + SandboxType::LinuxSeccomp, + &quick_reject_without_keyword + )); + assert!(is_likely_sandbox_denied( + SandboxType::LinuxSeccomp, + &quick_reject_with_keyword + )); + assert!(!is_likely_sandbox_denied( + SandboxType::LinuxSeccomp, + &zero_exit_with_keyword + )); + assert!(!is_likely_sandbox_denied( + SandboxType::None, + &non_sandbox_with_keyword + )); +} + #[test] fn classifies_filesystem_violation_with_path() { let output = make_exec_output(