codex: address PR review feedback (#16747)

This commit is contained in:
starr-openai
2026-04-03 18:30:43 -07:00
parent 1292268eea
commit b85bee8cba

View File

@@ -33,6 +33,7 @@ use crate::RemoveOptions;
use crate::local_file_system::LocalFileSystem;
const INTERNAL_FS_OP_FLAG: &str = "--internal-fs-op";
const HELPER_WINDOWS_SANDBOX_LEVEL: WindowsSandboxLevel = WindowsSandboxLevel::RestrictedToken;
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "camelCase")]
@@ -408,7 +409,7 @@ fn prepare_helper_request(
&effective_file_system_policy,
network_policy,
codex_sandboxing::SandboxablePreference::Auto,
WindowsSandboxLevel::Disabled,
HELPER_WINDOWS_SANDBOX_LEVEL,
/*has_managed_network_requirements*/ false,
);
let command = SandboxCommand {
@@ -430,7 +431,7 @@ fn prepare_helper_request(
sandbox_policy_cwd: helper_cwd.as_path(),
codex_linux_sandbox_exe: codex_linux_sandbox_exe.as_ref(),
use_legacy_landlock: false,
windows_sandbox_level: WindowsSandboxLevel::Disabled,
windows_sandbox_level: HELPER_WINDOWS_SANDBOX_LEVEL,
windows_sandbox_private_desktop: false,
})
.map_err(io::Error::other)
@@ -517,7 +518,9 @@ fn linux_sandbox_executable_path(helper_exe: &Path) -> Option<PathBuf> {
#[cfg(test)]
mod tests {
use super::HELPER_WINDOWS_SANDBOX_LEVEL;
use super::helper_legacy_policy;
use codex_protocol::config_types::WindowsSandboxLevel;
use codex_protocol::permissions::FileSystemAccessMode;
use codex_protocol::permissions::FileSystemPath;
use codex_protocol::permissions::FileSystemSandboxEntry;
@@ -552,4 +555,12 @@ mod tests {
}
);
}
#[test]
fn helper_sandbox_requests_use_restricted_windows_sandbox_level() {
assert_eq!(
HELPER_WINDOWS_SANDBOX_LEVEL,
WindowsSandboxLevel::RestrictedToken
);
}
}