Run exec-server fs operations through sandbox helper (#17294)

## Summary - run exec-server filesystem RPCs requiring sandboxing through a `codex-fs` arg0 helper over stdin/stdout - keep direct local filesystem execution for `DangerFullAccess` and external sandbox policies - remove the standalone exec-server binary path in favor of top-level arg0 dispatch/runtime paths - add sandbox escape regression coverage for local and remote filesystem paths ## Validation - `just fmt` - `git diff --check` - remote devbox: `cd codex-rs && bazel test --bes_backend= --bes_results_url= //codex-rs/exec-server:all` (6/6 passed) --------- Co-authored-by: Codex <noreply@openai.com>
2026-05-05 03:47:01 +00:00 · 2026-04-12 18:36:03 -07:00
parent 7c1e41c8b6
commit d626dc3895
52 changed files with 2313 additions and 895 deletions
--- a/codex-rs/core/tests/common/test_codex.rs
+++ b/codex-rs/core/tests/common/test_codex.rs
@@ -148,7 +148,11 @@ pub async fn test_env() -> Result<TestEnv> {
            let cwd = remote_aware_cwd_path();
            environment
                .get_filesystem()
-                .create_directory(&cwd, CreateDirectoryOptions { recursive: true })
+                .create_directory(
+                    &cwd,
+                    CreateDirectoryOptions { recursive: true },
+                    /*sandbox*/ None,
+                )
                .await?;
            remote_process.process.register_cleanup_path(cwd.as_path());
            Ok(TestEnv {
@@ -170,10 +174,9 @@ struct RemoteExecServerStart {
 fn start_remote_exec_server(remote_env: &RemoteEnvConfig) -> Result<RemoteExecServerStart> {
    let container_name = remote_env.container_name.as_str();
    let instance_id = remote_exec_server_instance_id();
-    let remote_exec_server_path = format!("/tmp/codex-exec-server-{instance_id}");
+    let remote_exec_server_path = format!("/tmp/codex-{instance_id}");
    let stdout_path = format!("/tmp/codex-exec-server-{instance_id}.stdout");
-    let local_binary = codex_utils_cargo_bin::cargo_bin("codex-exec-server")
-        .context("resolve codex-exec-server binary")?;
+    let local_binary = codex_utils_cargo_bin::cargo_bin("codex").context("resolve codex binary")?;
    let local_binary = local_binary.to_string_lossy().to_string();
    let remote_binary = format!("{container_name}:{remote_exec_server_path}");

@@ -188,7 +191,7 @@ fn start_remote_exec_server(remote_env: &RemoteEnvConfig) -> Result<RemoteExecSe

    let start_script = format!(
        "rm -f {stdout_path}; \
-nohup {remote_exec_server_path} --listen ws://0.0.0.0:0 > {stdout_path} 2>&1 & \
+nohup {remote_exec_server_path} exec-server --listen ws://0.0.0.0:0 > {stdout_path} 2>&1 & \
 echo $!"
    );
    let pid_output =
@@ -836,18 +839,26 @@ impl TestCodexHarness {
        if let Some(parent) = abs_path.parent() {
            self.test
                .fs()
-                .create_directory(&parent, CreateDirectoryOptions { recursive: true })
+                .create_directory(
+                    &parent,
+                    CreateDirectoryOptions { recursive: true },
+                    /*sandbox*/ None,
+                )
                .await?;
        }
        self.test
            .fs()
-            .write_file(&abs_path, contents.as_ref().to_vec())
+            .write_file(&abs_path, contents.as_ref().to_vec(), /*sandbox*/ None)
            .await?;
        Ok(())
    }

    pub async fn read_file_text(&self, rel: impl AsRef<Path>) -> Result<String> {
-        Ok(self.test.fs().read_file_text(&self.path_abs(rel)).await?)
+        Ok(self
+            .test
+            .fs()
+            .read_file_text(&self.path_abs(rel), /*sandbox*/ None)
+            .await?)
    }

    pub async fn create_dir_all(&self, rel: impl AsRef<Path>) -> Result<()> {
@@ -856,6 +867,7 @@ impl TestCodexHarness {
            .create_directory(
                &self.path_abs(rel),
                CreateDirectoryOptions { recursive: true },
+                /*sandbox*/ None,
            )
            .await?;
        Ok(())
@@ -874,13 +886,14 @@ impl TestCodexHarness {
                    recursive: false,
                    force: true,
                },
+                /*sandbox*/ None,
            )
            .await?;
        Ok(())
    }

    pub async fn abs_path_exists(&self, path: &AbsolutePathBuf) -> Result<bool> {
-        match self.test.fs().get_metadata(path).await {
+        match self.test.fs().get_metadata(path, /*sandbox*/ None).await {
            Ok(_) => Ok(true),
            Err(err) if err.kind() == ErrorKind::NotFound => Ok(false),
            Err(err) => Err(err.into()),
--- a/codex-rs/core/tests/suite/agents_md.rs
+++ b/codex-rs/core/tests/suite/agents_md.rs
@@ -33,9 +33,14 @@ async fn agents_override_is_preferred_over_agents_md() -> Result<()> {
        agents_instructions(test_codex().with_workspace_setup(|cwd, fs| async move {
            let agents_md = cwd.join("AGENTS.md");
            let override_md = cwd.join("AGENTS.override.md");
-            fs.write_file(&agents_md, b"base doc".to_vec()).await?;
-            fs.write_file(&override_md, b"override doc".to_vec())
+            fs.write_file(&agents_md, b"base doc".to_vec(), /*sandbox*/ None)
                .await?;
+            fs.write_file(
+                &override_md,
+                b"override doc".to_vec(),
+                /*sandbox*/ None,
+            )
+            .await?;
            Ok::<(), anyhow::Error>(())
        }))
        .await?;
@@ -62,9 +67,14 @@ async fn configured_fallback_is_used_when_agents_candidate_is_directory() -> Res
            .with_workspace_setup(|cwd, fs| async move {
                let agents_dir = cwd.join("AGENTS.md");
                let fallback = cwd.join("WORKFLOW.md");
-                fs.create_directory(&agents_dir, CreateDirectoryOptions { recursive: true })
+                fs.create_directory(
+                    &agents_dir,
+                    CreateDirectoryOptions { recursive: true },
+                    /*sandbox*/ None,
+                )
+                .await?;
+                fs.write_file(&fallback, b"fallback doc".to_vec(), /*sandbox*/ None)
                    .await?;
-                fs.write_file(&fallback, b"fallback doc".to_vec()).await?;
                Ok::<(), anyhow::Error>(())
            }),
    )
@@ -95,12 +105,22 @@ async fn agents_docs_are_concatenated_from_project_root_to_cwd() -> Result<()> {
                let git_marker = root.join(".git");
                let nested_agents = nested.join("AGENTS.md");

-                fs.create_directory(&nested, CreateDirectoryOptions { recursive: true })
+                fs.create_directory(
+                    &nested,
+                    CreateDirectoryOptions { recursive: true },
+                    /*sandbox*/ None,
+                )
+                .await?;
+                fs.write_file(&root_agents, b"root doc".to_vec(), /*sandbox*/ None)
                    .await?;
-                fs.write_file(&root_agents, b"root doc".to_vec()).await?;
-                fs.write_file(&git_marker, b"gitdir: /tmp/mock-git-dir\n".to_vec())
+                fs.write_file(
+                    &git_marker,
+                    b"gitdir: /tmp/mock-git-dir\n".to_vec(),
+                    /*sandbox*/ None,
+                )
+                .await?;
+                fs.write_file(&nested_agents, b"child doc".to_vec(), /*sandbox*/ None)
                    .await?;
-                fs.write_file(&nested_agents, b"child doc".to_vec()).await?;
                Ok::<(), anyhow::Error>(())
            }),
    )
--- a/codex-rs/core/tests/suite/hierarchical_agents.rs
+++ b/codex-rs/core/tests/suite/hierarchical_agents.rs
@@ -27,7 +27,8 @@ async fn hierarchical_agents_appends_to_project_doc_in_user_instructions() {
        })
        .with_workspace_setup(|cwd, fs| async move {
            let agents_md = cwd.join("AGENTS.md");
-            fs.write_file(&agents_md, b"be nice".to_vec()).await?;
+            fs.write_file(&agents_md, b"be nice".to_vec(), /*sandbox*/ None)
+                .await?;
            Ok::<(), anyhow::Error>(())
        });
    let test = builder
--- a/codex-rs/core/tests/suite/mod.rs
+++ b/codex-rs/core/tests/suite/mod.rs
@@ -30,9 +30,14 @@ pub static CODEX_ALIASES_TEMP_DIR: Option<TestCodexAliasesGuard> = {
        .and_then(|name| name.to_str())
        .unwrap_or("");
    let argv1 = args.next().unwrap_or_default();
+    if argv1 == CODEX_CORE_APPLY_PATCH_ARG1 {
+        let _ = arg0_dispatch();
+        return None;
+    }
+
    // Helper re-execs inherit this ctor too, but they may run inside a sandbox
    // where creating another CODEX_HOME tempdir under /tmp is not allowed.
-    if exe_name == CODEX_LINUX_SANDBOX_ARG0 || argv1 == CODEX_CORE_APPLY_PATCH_ARG1 {
+    if exe_name == CODEX_LINUX_SANDBOX_ARG0 {
        return None;
    }

--- a/codex-rs/core/tests/suite/remote_env.rs
+++ b/codex-rs/core/tests/suite/remote_env.rs
@@ -21,9 +21,11 @@ async fn remote_test_env_can_connect_and_use_filesystem() -> Result<()> {
    let payload = b"remote-test-env-ok".to_vec();

    file_system
-        .write_file(&file_path_abs, payload.clone())
+        .write_file(&file_path_abs, payload.clone(), /*sandbox*/ None)
+        .await?;
+    let actual = file_system
+        .read_file(&file_path_abs, /*sandbox*/ None)
        .await?;
-    let actual = file_system.read_file(&file_path_abs).await?;
    assert_eq!(actual, payload);

    file_system
@@ -33,6 +35,7 @@ async fn remote_test_env_can_connect_and_use_filesystem() -> Result<()> {
                recursive: false,
                force: true,
            },
+            /*sandbox*/ None,
        )
        .await?;

--- a/codex-rs/core/tests/suite/unified_exec.rs
+++ b/codex-rs/core/tests/suite/unified_exec.rs
@@ -191,7 +191,11 @@ async fn create_workspace_directory(
 ) -> Result<std::path::PathBuf> {
    let abs_path = test.config.cwd.join(rel_path.as_ref());
    test.fs()
-        .create_directory(&abs_path, CreateDirectoryOptions { recursive: true })
+        .create_directory(
+            &abs_path,
+            CreateDirectoryOptions { recursive: true },
+            /*sandbox*/ None,
+        )
        .await?;
    Ok(abs_path.into_path_buf())
 }
--- a/codex-rs/core/tests/suite/view_image.rs
+++ b/codex-rs/core/tests/suite/view_image.rs
@@ -87,7 +87,11 @@ fn png_bytes(width: u32, height: u32, rgba: [u8; 4]) -> anyhow::Result<Vec<u8>>
 async fn create_workspace_directory(test: &TestCodex, rel_path: &str) -> anyhow::Result<PathBuf> {
    let abs_path = test.config.cwd.join(rel_path);
    test.fs()
-        .create_directory(&abs_path, CreateDirectoryOptions { recursive: true })
+        .create_directory(
+            &abs_path,
+            CreateDirectoryOptions { recursive: true },
+            /*sandbox*/ None,
+        )
        .await?;
    Ok(abs_path.into_path_buf())
 }
@@ -100,10 +104,16 @@ async fn write_workspace_file(
    let abs_path = test.config.cwd.join(rel_path);
    if let Some(parent) = abs_path.parent() {
        test.fs()
-            .create_directory(&parent, CreateDirectoryOptions { recursive: true })
+            .create_directory(
+                &parent,
+                CreateDirectoryOptions { recursive: true },
+                /*sandbox*/ None,
+            )
            .await?;
    }
-    test.fs().write_file(&abs_path, contents).await?;
+    test.fs()
+        .write_file(&abs_path, contents, /*sandbox*/ None)
+        .await?;
    Ok(abs_path.into_path_buf())
 }