clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-23 20:44:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

permissions: move workspace roots onto thread state

Browse Source
This commit is contained in:
Michael Bolin
2026-05-12 23:22:45 -07:00
parent fbfbfe5fc5
commit 8a76af2354
168 changed files with 3246 additions and 3357 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
codex-rs/cli/src/debug_sandbox.rs
View File

@@ -229,7 +229,7 @@ async fn run_command_under_sandbox(
let network_proxy = match config.permissions.network.as_ref() {
Some(spec) => Some(
spec.start_proxy(
config.permissions.permission_profile.get(),
config.permissions.permission_profile_ref(),
/*policy_decider*/ None,
/*blocked_request_observer*/ None,
managed_network_requirements_enabled,
@@ -284,7 +284,7 @@ async fn run_command_under_sandbox(
let args = create_linux_sandbox_command_args_for_permission_profile(
command,
cwd.as_path(),
&config.permissions.permission_profile(),
config.permissions.permission_profile_ref(),
sandbox_policy_cwd.as_path(),
use_legacy_landlock,
allow_network_for_proxy(managed_network_requirements_enabled),
@@ -769,6 +769,16 @@ mod tests {
Ok(())
}
fn workspace_write_policy_for_codex_home(
codex_home: &TempDir,
) -> codex_protocol::permissions::FileSystemSandboxPolicy {
let memories_root = AbsolutePathBuf::try_from(codex_home.path().join("memories"))
.expect("codex home tempdir should be absolute");
codex_protocol::models::PermissionProfile::workspace_write()
.file_system_sandbox_policy()
.with_additional_legacy_workspace_writable_roots(std::slice::from_ref(&memories_root))
}
#[tokio::test]
async fn debug_sandbox_honors_active_permission_profiles() -> anyhow::Result<()> {
let codex_home = TempDir::new()?;
@@ -947,8 +957,7 @@ mod tests {
assert_eq!(
config.permissions.file_system_sandbox_policy(),
codex_protocol::models::PermissionProfile::workspace_write()
.file_system_sandbox_policy()
workspace_write_policy_for_codex_home(&codex_home)
);
Ok(())
@@ -980,8 +989,7 @@ mod tests {
assert_eq!(
config.permissions.file_system_sandbox_policy(),
codex_protocol::models::PermissionProfile::workspace_write()
.file_system_sandbox_policy()
workspace_write_policy_for_codex_home(&codex_home)
);
Ok(())