[codex] Tighten unified exec sandbox setup (#22207)

## Summary - tighten unified exec sandbox initialization - preserve the requested process workdir independently from sandbox setup - add regression coverage for the updated invariant ## Validation - Ran `/tmp/cargo-tools/bin/just fmt`. - Ran the targeted `codex-core` regression test successfully. - Ran `cargo test -p codex-core`; it did not complete cleanly because unrelated existing agent/config-loader tests failed and the run later aborted on a stack overflow in `tools::handlers::multi_agents::tests::tool_handlers_cascade_close_and_resume_and_keep_explicitly_closed_subtrees_closed`. Co-authored-by: Codex <noreply@openai.com>
2026-05-29 23:40:29 +00:00 · 2026-05-12 08:41:00 -07:00
parent 89c8e9a4db
commit 5e3ee5eddf
5 changed files with 48 additions and 2 deletions
--- a/codex-rs/core/src/unified_exec/mod.rs
+++ b/codex-rs/core/src/unified_exec/mod.rs
@@ -92,6 +92,7 @@ pub(crate) struct ExecCommandRequest {
    pub yield_time_ms: u64,
    pub max_output_tokens: Option<usize>,
    pub cwd: AbsolutePathBuf,
+    pub sandbox_cwd: AbsolutePathBuf,
    pub environment: Arc<Environment>,
    pub network: Option<NetworkProxy>,
    pub tty: bool,
--- a/codex-rs/core/src/unified_exec/process_manager.rs
+++ b/codex-rs/core/src/unified_exec/process_manager.rs
@@ -1028,7 +1028,9 @@ impl UnifiedExecProcessManager {
                approval_policy: context.turn.approval_policy.value(),
                permission_profile: context.turn.permission_profile(),
                file_system_sandbox_policy: &file_system_sandbox_policy,
-                sandbox_cwd: cwd.as_path(),
+                // The process cwd may be model-controlled. Policy resolution
+                // stays anchored to the selected turn environment cwd instead.
+                sandbox_cwd: request.sandbox_cwd.as_path(),
                sandbox_permissions: if request.additional_permissions_preapproved {
                    crate::sandboxing::SandboxPermissions::UseDefault
                } else {
@@ -1042,6 +1044,7 @@ impl UnifiedExecProcessManager {
            hook_command: request.hook_command.clone(),
            process_id: request.process_id,
            cwd,
+            sandbox_cwd: request.sandbox_cwd.clone(),
            environment: Arc::clone(&request.environment),
            env,
            exec_server_env_config: Some(exec_server_env_config),
--- a/codex-rs/core/src/unified_exec/process_manager_tests.rs
+++ b/codex-rs/core/src/unified_exec/process_manager_tests.rs
@@ -176,6 +176,7 @@ async fn failed_initial_end_for_unstored_process_uses_fallback_output() {
        yield_time_ms: 1000,
        max_output_tokens: None,
        cwd: turn.cwd.clone(),
+        sandbox_cwd: turn.cwd.clone(),
        environment: turn
            .environments
            .primary_environment()