feat: make sandbox read access configurable with ReadOnlyAccess (#11387)

`SandboxPolicy::ReadOnly` previously implied broad read access and could not express a narrower read surface. This change introduces an explicit read-access model so we can support user-configurable read restrictions in follow-up work, while preserving current behavior today. It also ensures unsupported backends fail closed for restricted-read policies instead of silently granting broader access than intended. ## What - Added `ReadOnlyAccess` in protocol with: - `Restricted { include_platform_defaults, readable_roots }` - `FullAccess` - Updated `SandboxPolicy` to carry read-access configuration: - `ReadOnly { access: ReadOnlyAccess }` - `WorkspaceWrite { ..., read_only_access: ReadOnlyAccess }` - Preserved existing behavior by defaulting current construction paths to `ReadOnlyAccess::FullAccess`. - Threaded the new fields through sandbox policy consumers and call sites across `core`, `tui`, `linux-sandbox`, `windows-sandbox`, and related tests. - Updated Seatbelt policy generation to honor restricted read roots by emitting scoped read rules when full read access is not granted. - Added fail-closed behavior on Linux and Windows backends when restricted read access is requested but not yet implemented there (`UnsupportedOperation`). - Regenerated app-server protocol schema and TypeScript artifacts, including `ReadOnlyAccess`. ## Compatibility / rollout - Runtime behavior remains unchanged by default (`FullAccess`). - API/schema changes are in place so future config wiring can enable restricted read access without another policy-shape migration.
2026-04-27 08:05:51 +00:00 · 2026-02-11 18:31:14 -08:00
parent 572ab66496
commit abbd74e2be
79 changed files with 1797 additions and 188 deletions
--- a/codex-rs/linux-sandbox/src/bwrap.rs
+++ b/codex-rs/linux-sandbox/src/bwrap.rs
@@ -141,6 +141,13 @@ fn create_bwrap_flags(
 /// 4. `--dev-bind /dev/null /dev/null` preserves the common sink even under a
 ///    read-only root.
 fn create_filesystem_args(sandbox_policy: &SandboxPolicy, cwd: &Path) -> Result<Vec<String>> {
+    if !sandbox_policy.has_full_disk_read_access() {
+        return Err(CodexErr::UnsupportedOperation(
+            "Restricted read-only access is not yet supported by the Linux bubblewrap backend."
+                .to_string(),
+        ));
+    }
+
    let writable_roots = sandbox_policy.get_writable_roots_with_cwd(cwd);
    ensure_mount_targets_exist(&writable_roots)?;

--- a/codex-rs/linux-sandbox/src/landlock.rs
+++ b/codex-rs/linux-sandbox/src/landlock.rs
@@ -62,6 +62,13 @@ pub(crate) fn apply_sandbox_policy_to_current_thread(
    }

    if apply_landlock_fs && !sandbox_policy.has_full_disk_write_access() {
+        if !sandbox_policy.has_full_disk_read_access() {
+            return Err(CodexErr::UnsupportedOperation(
+                "Restricted read-only access is not supported by the legacy Linux Landlock filesystem backend."
+                    .to_string(),
+            ));
+        }
+
        let writable_roots = sandbox_policy
            .get_writable_roots_with_cwd(cwd)
            .into_iter()
@@ -70,9 +77,6 @@ pub(crate) fn apply_sandbox_policy_to_current_thread(
        install_filesystem_landlock_rules_on_current_thread(writable_roots)?;
    }

-    // TODO(ragona): Add appropriate restrictions if
-    // `sandbox_policy.has_full_disk_read_access()` is `false`.
-
    Ok(())
 }

@@ -222,11 +226,11 @@ mod tests {
    #[test]
    fn restricted_network_policy_always_installs_seccomp() {
        assert!(should_install_network_seccomp(
-            &SandboxPolicy::ReadOnly,
+            &SandboxPolicy::new_read_only_policy(),
            false
        ));
        assert!(should_install_network_seccomp(
-            &SandboxPolicy::ReadOnly,
+            &SandboxPolicy::new_read_only_policy(),
            true
        ));
    }
--- a/codex-rs/linux-sandbox/src/linux_run_main.rs
+++ b/codex-rs/linux-sandbox/src/linux_run_main.rs
@@ -391,7 +391,7 @@ mod tests {
    fn inserts_bwrap_argv0_before_command_separator() {
        let argv = build_bwrap_argv(
            vec!["/bin/true".to_string()],
-            &SandboxPolicy::ReadOnly,
+            &SandboxPolicy::new_read_only_policy(),
            Path::new("/"),
            BwrapOptions {
                mount_proc: true,
@@ -425,7 +425,7 @@ mod tests {
    fn inserts_unshare_net_when_network_isolation_requested() {
        let argv = build_bwrap_argv(
            vec!["/bin/true".to_string()],
-            &SandboxPolicy::ReadOnly,
+            &SandboxPolicy::new_read_only_policy(),
            Path::new("/"),
            BwrapOptions {
                mount_proc: true,
@@ -439,7 +439,7 @@ mod tests {
    fn inserts_unshare_net_when_proxy_only_network_mode_requested() {
        let argv = build_bwrap_argv(
            vec!["/bin/true".to_string()],
-            &SandboxPolicy::ReadOnly,
+            &SandboxPolicy::new_read_only_policy(),
            Path::new("/"),
            BwrapOptions {
                mount_proc: true,