Run exec-server fs operations through sandbox helper (#17294)

## Summary - run exec-server filesystem RPCs requiring sandboxing through a `codex-fs` arg0 helper over stdin/stdout - keep direct local filesystem execution for `DangerFullAccess` and external sandbox policies - remove the standalone exec-server binary path in favor of top-level arg0 dispatch/runtime paths - add sandbox escape regression coverage for local and remote filesystem paths ## Validation - `just fmt` - `git diff --check` - remote devbox: `cd codex-rs && bazel test --bes_backend= --bes_results_url= //codex-rs/exec-server:all` (6/6 passed) --------- Co-authored-by: Codex <noreply@openai.com>
2026-05-04 03:16:31 +00:00 · 2026-04-12 18:36:03 -07:00
parent 7c1e41c8b6
commit d626dc3895
52 changed files with 2313 additions and 895 deletions
--- a/codex-rs/exec-server/src/server/handler/tests.rs
+++ b/codex-rs/exec-server/src/server/handler/tests.rs
@@ -7,6 +7,7 @@ use tokio::sync::mpsc;
 use uuid::Uuid;

 use super::ExecServerHandler;
+use crate::ExecServerRuntimePaths;
 use crate::ProcessId;
 use crate::protocol::ExecParams;
 use crate::protocol::InitializeParams;
@@ -64,12 +65,21 @@ fn windows_command_processor() -> String {
    std::env::var("COMSPEC").unwrap_or_else(|_| "cmd.exe".to_string())
 }

+fn test_runtime_paths() -> ExecServerRuntimePaths {
+    ExecServerRuntimePaths::new(
+        std::env::current_exe().expect("current exe"),
+        /*codex_linux_sandbox_exe*/ None,
+    )
+    .expect("runtime paths")
+}
+
 async fn initialized_handler() -> Arc<ExecServerHandler> {
    let (outgoing_tx, _outgoing_rx) = mpsc::channel(16);
    let registry = SessionRegistry::new();
    let handler = Arc::new(ExecServerHandler::new(
        registry,
        RpcNotificationSender::new(outgoing_tx),
+        test_runtime_paths(),
    ));
    let initialize_response = handler
        .initialize(InitializeParams {
@@ -147,6 +157,7 @@ async fn long_poll_read_fails_after_session_resume() {
    let first_handler = Arc::new(ExecServerHandler::new(
        Arc::clone(&registry),
        RpcNotificationSender::new(first_tx),
+        test_runtime_paths(),
    ));
    let initialize_response = first_handler
        .initialize(InitializeParams {
@@ -187,6 +198,7 @@ async fn long_poll_read_fails_after_session_resume() {
    let second_handler = Arc::new(ExecServerHandler::new(
        registry,
        RpcNotificationSender::new(second_tx),
+        test_runtime_paths(),
    ));
    second_handler
        .initialize(InitializeParams {
@@ -219,6 +231,7 @@ async fn active_session_resume_is_rejected() {
    let first_handler = Arc::new(ExecServerHandler::new(
        Arc::clone(&registry),
        RpcNotificationSender::new(first_tx),
+        test_runtime_paths(),
    ));
    let initialize_response = first_handler
        .initialize(InitializeParams {
@@ -232,6 +245,7 @@ async fn active_session_resume_is_rejected() {
    let second_handler = Arc::new(ExecServerHandler::new(
        registry,
        RpcNotificationSender::new(second_tx),
+        test_runtime_paths(),
    ));
    let err = second_handler
        .initialize(InitializeParams {
@@ -259,6 +273,7 @@ async fn output_and_exit_are_retained_after_notification_receiver_closes() {
    let handler = Arc::new(ExecServerHandler::new(
        SessionRegistry::new(),
        RpcNotificationSender::new(outgoing_tx),
+        test_runtime_paths(),
    ));
    handler
        .initialize(InitializeParams {