Run exec-server fs operations through sandbox helper (#17294)

## Summary
- run exec-server filesystem RPCs requiring sandboxing through a
`codex-fs` arg0 helper over stdin/stdout
- keep direct local filesystem execution for `DangerFullAccess` and
external sandbox policies
- remove the standalone exec-server binary path in favor of top-level
arg0 dispatch/runtime paths
- add sandbox escape regression coverage for local and remote filesystem
paths

## Validation
- `just fmt`
- `git diff --check`
- remote devbox: `cd codex-rs && bazel test --bes_backend=
--bes_results_url= //codex-rs/exec-server:all` (6/6 passed)

---------

Co-authored-by: Codex <noreply@openai.com>

codex-rs/exec-server/src/file_system.rs

@@ -1,4 +1,6 @@
 use async_trait::async_trait;
+use codex_protocol::config_types::WindowsSandboxLevel;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use tokio::io;
@@ -34,86 +36,95 @@ pub struct ReadDirectoryEntry {
     pub is_file: bool,
 }
 
+#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct FileSystemSandboxContext {
+    pub sandbox_policy: SandboxPolicy,
+    pub windows_sandbox_level: WindowsSandboxLevel,
+    #[serde(default)]
+    pub windows_sandbox_private_desktop: bool,
+    #[serde(default)]
+    pub use_legacy_landlock: bool,
+    pub additional_permissions: Option<PermissionProfile>,
+}
+
+impl FileSystemSandboxContext {
+    pub fn new(sandbox_policy: SandboxPolicy) -> Self {
+        Self {
+            sandbox_policy,
+            windows_sandbox_level: WindowsSandboxLevel::Disabled,
+            windows_sandbox_private_desktop: false,
+            use_legacy_landlock: false,
+            additional_permissions: None,
+        }
+    }
+
+    pub fn should_run_in_sandbox(&self) -> bool {
+        matches!(
+            self.sandbox_policy,
+            SandboxPolicy::ReadOnly { .. } | SandboxPolicy::WorkspaceWrite { .. }
+        )
+    }
+}
+
 pub type FileSystemResult<T> = io::Result<T>;
 
 #[async_trait]
 pub trait ExecutorFileSystem: Send + Sync {
-    async fn read_file(&self, path: &AbsolutePathBuf) -> FileSystemResult<Vec<u8>>;
+    async fn read_file(
+        &self,
+        path: &AbsolutePathBuf,
+        sandbox: Option<&FileSystemSandboxContext>,
+    ) -> FileSystemResult<Vec<u8>>;
 
     /// Reads a file and decodes it as UTF-8 text.
-    async fn read_file_text(&self, path: &AbsolutePathBuf) -> FileSystemResult<String> {
-        let bytes = self.read_file(path).await?;
+    async fn read_file_text(
+        &self,
+        path: &AbsolutePathBuf,
+        sandbox: Option<&FileSystemSandboxContext>,
+    ) -> FileSystemResult<String> {
+        let bytes = self.read_file(path, sandbox).await?;
         String::from_utf8(bytes).map_err(|err| io::Error::new(io::ErrorKind::InvalidData, err))
     }
 
-    async fn read_file_with_sandbox_policy(
-        &self,
-        path: &AbsolutePathBuf,
-        sandbox_policy: Option<&SandboxPolicy>,
-    ) -> FileSystemResult<Vec<u8>>;
-
-    async fn write_file(&self, path: &AbsolutePathBuf, contents: Vec<u8>) -> FileSystemResult<()>;
-
-    async fn write_file_with_sandbox_policy(
+    async fn write_file(
         &self,
         path: &AbsolutePathBuf,
         contents: Vec<u8>,
-        sandbox_policy: Option<&SandboxPolicy>,
+        sandbox: Option<&FileSystemSandboxContext>,
     ) -> FileSystemResult<()>;
 
     async fn create_directory(
-        &self,
-        path: &AbsolutePathBuf,
-        options: CreateDirectoryOptions,
-    ) -> FileSystemResult<()>;
-
-    async fn create_directory_with_sandbox_policy(
         &self,
         path: &AbsolutePathBuf,
         create_directory_options: CreateDirectoryOptions,
-        sandbox_policy: Option<&SandboxPolicy>,
+        sandbox: Option<&FileSystemSandboxContext>,
     ) -> FileSystemResult<()>;
 
-    async fn get_metadata(&self, path: &AbsolutePathBuf) -> FileSystemResult<FileMetadata>;
-
-    async fn get_metadata_with_sandbox_policy(
+    async fn get_metadata(
         &self,
         path: &AbsolutePathBuf,
-        sandbox_policy: Option<&SandboxPolicy>,
+        sandbox: Option<&FileSystemSandboxContext>,
     ) -> FileSystemResult<FileMetadata>;
 
     async fn read_directory(
         &self,
         path: &AbsolutePathBuf,
+        sandbox: Option<&FileSystemSandboxContext>,
     ) -> FileSystemResult<Vec<ReadDirectoryEntry>>;
 
-    async fn read_directory_with_sandbox_policy(
-        &self,
-        path: &AbsolutePathBuf,
-        sandbox_policy: Option<&SandboxPolicy>,
-    ) -> FileSystemResult<Vec<ReadDirectoryEntry>>;
-
-    async fn remove(&self, path: &AbsolutePathBuf, options: RemoveOptions) -> FileSystemResult<()>;
-
-    async fn remove_with_sandbox_policy(
+    async fn remove(
         &self,
         path: &AbsolutePathBuf,
         remove_options: RemoveOptions,
-        sandbox_policy: Option<&SandboxPolicy>,
+        sandbox: Option<&FileSystemSandboxContext>,
     ) -> FileSystemResult<()>;
 
     async fn copy(
-        &self,
-        source_path: &AbsolutePathBuf,
-        destination_path: &AbsolutePathBuf,
-        options: CopyOptions,
-    ) -> FileSystemResult<()>;
-
-    async fn copy_with_sandbox_policy(
         &self,
         source_path: &AbsolutePathBuf,
         destination_path: &AbsolutePathBuf,
         copy_options: CopyOptions,
-        sandbox_policy: Option<&SandboxPolicy>,
+        sandbox: Option<&FileSystemSandboxContext>,
     ) -> FileSystemResult<()>;
 }