Protect first-time project .codex creation across Linux and macOS sandboxes (#15067)

## Problem Codex already treated an existing top-level project `./.codex` directory as protected, but there was a gap on first creation. If `./.codex` did not exist yet, a turn could create files under it, such as `./.codex/config.toml`, without going through the same approval path as later modifications. That meant the initial write could bypass the intended protection for project-local Codex state. ## What this changes This PR closes that first-creation gap in the Unix enforcement layers: - `codex-protocol` - treat the top-level project `./.codex` path as a protected carveout even when it does not exist yet - avoid injecting the default carveout when the user already has an explicit rule for that exact path - macOS Seatbelt - deny writes to both the exact protected path and anything beneath it, so creating `./.codex` itself is blocked in addition to writes inside it - Linux bubblewrap - preserve the same protected-path behavior for first-time creation under `./.codex` - tests - add protocol regressions for missing `./.codex` and explicit-rule collisions - add Unix sandbox coverage for blocking first-time `./.codex` creation - tighten Seatbelt policy assertions around excluded subpaths ## Scope This change is intentionally scoped to protecting the top-level project `.codex` subtree from agent writes. It does not make `.codex` unreadable, and it does not change the product behavior around loading project skills from `.codex` when project config is untrusted. ## Why this shape The fix is pointed rather than broad: - it preserves the current model of “project `.codex` is protected from writes” - it closes the security-relevant first-write hole - it avoids folding a larger permissions-model redesign into this PR ## Validation - `cargo test -p codex-protocol` - `cargo test -p codex-sandboxing seatbelt` - `cargo test -p codex-exec --test all sandbox_blocks_first_time_dot_codex_creation -- --nocapture` --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
2026-06-01 19:02:59 +00:00 · 2026-03-26 16:06:53 -04:00
parent 9736fa5e3d
commit 86764af684
10 changed files with 571 additions and 112 deletions
--- a/codex-rs/core/src/exec_tests.rs
+++ b/codex-rs/core/src/exec_tests.rs
@@ -595,6 +595,19 @@ fn windows_restricted_token_supports_full_read_split_write_read_carveouts() {
        },
    ]);

+    #[cfg(windows)]
+    let expected_deny_write_paths = vec![
+        codex_utils_absolute_path::AbsolutePathBuf::from_absolute_path(cwd.join(".codex"))
+            .expect("absolute .codex"),
+        codex_utils_absolute_path::AbsolutePathBuf::from_absolute_path(&docs)
+            .expect("absolute docs"),
+    ];
+    #[cfg(not(windows))]
+    let expected_deny_write_paths = vec![
+        codex_utils_absolute_path::AbsolutePathBuf::from_absolute_path(&docs)
+            .expect("absolute docs"),
+    ];
+
    assert_eq!(
        resolve_windows_restricted_token_filesystem_overlay(
            SandboxType::WindowsRestrictedToken,
@@ -605,10 +618,7 @@ fn windows_restricted_token_supports_full_read_split_write_read_carveouts() {
            WindowsSandboxLevel::RestrictedToken,
        ),
        Ok(Some(WindowsRestrictedTokenFilesystemOverlay {
-            additional_deny_write_paths: vec![
-                codex_utils_absolute_path::AbsolutePathBuf::from_absolute_path(&docs)
-                    .expect("absolute docs"),
-            ],
+            additional_deny_write_paths: expected_deny_write_paths,
        }))
    );
 }