fix: fix fs sandbox helper for apply_patch (#18296)

## Summary - pass split filesystem sandbox policy/cwd through apply_patch contexts, while omitting legacy-equivalent policies to keep payloads small - keep the fs helper compatible with legacy Landlock by avoiding helper read-root permission expansion in that mode and disabling helper network access ## Root Cause `d626dc38950fb40a1a5ad0a8ffab2485e3348c53` routed exec-server filesystem operations through a sandboxed helper. That path forwarded legacy Landlock into a helper policy shape that could require direct split-policy enforcement. Sandboxed `apply_patch` hit that edge through the filesystem abstraction. The same 0.121 edit-regression path is consistent with #18354: normal writes route through the `apply_patch` filesystem helper, fail under sandbox, and then surface the generic retry-without-sandbox prompt. Fixes #18069 Fixes #18354 ## Validation - `cd codex-rs && just fmt` - earlier branch validation before merging current `origin/main` and dropping the now-separate PATH fix: - `cd codex-rs && cargo test -p codex-exec-server` - `cd codex-rs && cargo test -p codex-core file_system_sandbox_context` - `cd codex-rs && just fix -p codex-exec-server` - `cd codex-rs && just fix -p codex-core` - `git diff --check` - `cd codex-rs && cargo clean` --------- Co-authored-by: Codex <noreply@openai.com>
2026-06-01 19:02:59 +00:00 · 2026-04-17 15:39:07 -07:00
parent c9c4caafd8
commit f705f42ba8
5 changed files with 259 additions and 65 deletions
--- a/codex-rs/core/src/session/turn_context.rs
+++ b/codex-rs/core/src/session/turn_context.rs
@@ -209,6 +209,8 @@ impl TurnContext {
    ) -> FileSystemSandboxContext {
        FileSystemSandboxContext {
            sandbox_policy: self.sandbox_policy.get().clone(),
+            sandbox_policy_cwd: Some(self.cwd.clone()),
+            file_system_sandbox_policy: self.non_legacy_file_system_sandbox_policy(),
            windows_sandbox_level: self.windows_sandbox_level,
            windows_sandbox_private_desktop: self
                .config
@@ -219,6 +221,19 @@ impl TurnContext {
        }
    }

+    fn non_legacy_file_system_sandbox_policy(&self) -> Option<FileSystemSandboxPolicy> {
+        // Omit the derived split filesystem policy when it is equivalent to
+        // the legacy sandbox policy. This keeps turn-context payloads stable
+        // while both fields exist; once callers consume only the split policy,
+        // this comparison and the legacy projection should go away.
+        let legacy_file_system_sandbox_policy = FileSystemSandboxPolicy::from_legacy_sandbox_policy(
+            self.sandbox_policy.get(),
+            &self.cwd,
+        );
+        (self.file_system_sandbox_policy != legacy_file_system_sandbox_policy)
+            .then(|| self.file_system_sandbox_policy.clone())
+    }
+
    pub(crate) fn compact_prompt(&self) -> &str {
        self.compact_prompt
            .as_deref()
@@ -226,18 +241,6 @@ impl TurnContext {
    }

    pub(crate) fn to_turn_context_item(&self) -> TurnContextItem {
-        let legacy_file_system_sandbox_policy = FileSystemSandboxPolicy::from_legacy_sandbox_policy(
-            self.sandbox_policy.get(),
-            &self.cwd,
-        );
-        // Omit the derived split filesystem policy when it is equivalent to
-        // the legacy sandbox policy. This keeps turn-context payloads stable
-        // while both fields exist; once callers consume only the split policy,
-        // this comparison and the legacy projection should go away.
-        let file_system_sandbox_policy = (self.file_system_sandbox_policy
-            != legacy_file_system_sandbox_policy)
-            .then(|| self.file_system_sandbox_policy.clone());
-
        TurnContextItem {
            turn_id: Some(self.sub_id.clone()),
            trace_id: self.trace_id.clone(),
@@ -247,7 +250,7 @@ impl TurnContext {
            approval_policy: self.approval_policy.value(),
            sandbox_policy: self.sandbox_policy.get().clone(),
            network: self.turn_context_network_item(),
-            file_system_sandbox_policy,
+            file_system_sandbox_policy: self.non_legacy_file_system_sandbox_policy(),
            model: self.model_info.slug.clone(),
            personality: self.personality,
            collaboration_mode: Some(self.collaboration_mode.clone()),