fix: unblock private DNS in macOS sandbox (#17370)

## Summary - keep hostname targets proxied by default by removing hostname suffixes from the managed `NO_PROXY` value while preserving private/link-local CIDRs - make the macOS `allow_local_binding` sandbox rules match the local socket shape used by DNS tools by allowing wildcard local binds - allow raw DNS egress to remote port 53 only when `allow_local_binding` is enabled, without opening blanket outbound network access ## Root cause Raw DNS tools do not honor `HTTP_PROXY` or `ALL_PROXY`, so the proxy-only Seatbelt policy blocked their resolver traffic before it could reach host DNS. In the affected managed config, `allow_local_binding = true`, but the existing rule only allowed `localhost:*` binds; `dig`/BIND can bind sockets in a way that needs wildcard local binding. Separately, hostname suffixes in `NO_PROXY` could force internal hostnames to resolve locally instead of through the proxy path. --------- Co-authored-by: Codex <noreply@openai.com>
2026-05-02 10:26:45 +00:00 · 2026-04-10 20:34:04 -07:00
parent 66e13efd9c
commit 8a474a6561
3 changed files with 66 additions and 8 deletions
--- a/codex-rs/network-proxy/src/proxy.rs
+++ b/codex-rs/network-proxy/src/proxy.rs
@@ -379,8 +379,10 @@ pub const NO_PROXY_ENV_KEYS: &[&str] = &[

 pub const DEFAULT_NO_PROXY_VALUE: &str = concat!(
    "localhost,127.0.0.1,::1,",
-    "*.local,.local,",
-    "169.254.0.0/16,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+    "169.254.0.0/16,",
+    "10.0.0.0/8,",
+    "172.16.0.0/12,",
+    "192.168.0.0/16"
 );

 pub fn proxy_url_env_value<'a>(
@@ -452,7 +454,9 @@ fn apply_proxy_env_overrides(
    // HTTP(S)_PROXY. Keep them aligned with the managed HTTP proxy endpoint.
    set_env_keys(env, WEBSOCKET_PROXY_ENV_KEYS, &http_proxy_url);

-    // Keep local/private targets direct so local IPC and metadata endpoints avoid the proxy.
+    // Keep loopback and IP-literal private targets direct so local IPC/LAN access avoids the proxy.
+    // Do not include hostname suffixes here: those can force clients to resolve internal names
+    // locally instead of letting the proxy resolve them.
    set_env_keys(env, NO_PROXY_ENV_KEYS, DEFAULT_NO_PROXY_VALUE);

    env.insert("ELECTRON_GET_USE_PROXY".to_string(), "true".to_string());
@@ -927,6 +931,11 @@ mod tests {
            env.get("NO_PROXY"),
            Some(&DEFAULT_NO_PROXY_VALUE.to_string())
        );
+        let no_proxy = env.get("NO_PROXY").expect("NO_PROXY should be set");
+        assert!(no_proxy.contains("10.0.0.0/8"));
+        assert!(no_proxy.contains("172.16.0.0/12"));
+        assert!(no_proxy.contains("192.168.0.0/16"));
+        assert!(no_proxy.contains("169.254.0.0/16"));
        assert_eq!(env.get(ALLOW_LOCAL_BINDING_ENV_KEY), Some(&"0".to_string()));
        assert_eq!(env.get("ELECTRON_GET_USE_PROXY"), Some(&"true".to_string()));
        #[cfg(target_os = "macos")]