refactor(permissions): use effective filesystem permissions for enforcement preflight

Co-authored-by: Codex noreply@openai.com

codex-rs/core/src/sandboxing/mod.rs

@@ -122,6 +122,7 @@ impl ExecRequest {
             windows_sandbox_level,
             windows_sandbox_private_desktop,
             permission_profile,
+            effective_filesystem_permissions: _,
             file_system_sandbox_policy,
             network_sandbox_policy,
             arg0,

codex-rs/core/src/tools/handlers/apply_patch.rs

@@ -46,7 +46,9 @@ use codex_protocol::models::FileSystemPermissions;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::FileChange;
 use codex_protocol::protocol::PatchApplyUpdatedEvent;
-use codex_sandboxing::policy_transforms::effective_file_system_sandbox_policy;
+use codex_sandboxing::EffectiveFilesystemPermissions;
+use codex_sandboxing::FilesystemPermissionsContext;
+use codex_sandboxing::policy_transforms::effective_permission_profile;
 use codex_sandboxing::policy_transforms::merge_permission_profiles;
 use codex_sandboxing::policy_transforms::normalize_additional_permissions;
 use codex_tools::ToolName;
@@ -224,8 +226,7 @@ fn to_abs_path(cwd: &AbsolutePathBuf, path: &Path) -> Option<AbsolutePathBuf> {
 
 fn write_permissions_for_paths(
     file_paths: &[AbsolutePathBuf],
-    file_system_sandbox_policy: &codex_protocol::permissions::FileSystemSandboxPolicy,
-    cwd: &AbsolutePathBuf,
+    effective_filesystem_permissions: &EffectiveFilesystemPermissions,
 ) -> Option<AdditionalPermissionProfile> {
     let write_paths = file_paths
         .iter()
@@ -234,9 +235,7 @@ fn write_permissions_for_paths(
                 .unwrap_or_else(|| path.clone())
                 .into_path_buf()
         })
-        .filter(|path| {
-            !file_system_sandbox_policy.can_write_path_with_cwd(path.as_path(), cwd.as_path())
-        })
+        .filter(|path| !effective_filesystem_permissions.can_write(path.as_path()))
         .collect::<BTreeSet<_>>()
         .into_iter()
         .map(AbsolutePathBuf::from_absolute_path)
@@ -267,34 +266,46 @@ async fn effective_patch_permissions(
     turn: &TurnContext,
     action: &ApplyPatchAction,
     cwd: &AbsolutePathBuf,
-) -> (
-    Vec<AbsolutePathBuf>,
-    crate::tools::handlers::EffectiveAdditionalPermissions,
-    codex_protocol::permissions::FileSystemSandboxPolicy,
-) {
+) -> Result<
+    (
+        Vec<AbsolutePathBuf>,
+        crate::tools::handlers::EffectiveAdditionalPermissions,
+        codex_protocol::permissions::FileSystemSandboxPolicy,
+    ),
+    FunctionCallError,
+> {
     let file_paths = file_paths_for_action(action);
     let granted_permissions = merge_permission_profiles(
         session.granted_session_permissions().await.as_ref(),
         session.granted_turn_permissions().await.as_ref(),
     );
-    let base_file_system_sandbox_policy = turn.file_system_sandbox_policy();
-    let file_system_sandbox_policy = effective_file_system_sandbox_policy(
-        &base_file_system_sandbox_policy,
-        granted_permissions.as_ref(),
-    );
+    let effective_permission_profile =
+        effective_permission_profile(&turn.permission_profile(), granted_permissions.as_ref());
+    let file_system_sandbox_policy = effective_permission_profile.file_system_sandbox_policy();
+    let effective_filesystem_permissions = EffectiveFilesystemPermissions::from_profile(
+        &effective_permission_profile,
+        FilesystemPermissionsContext {
+            policy_evaluation_cwd: cwd,
+        },
+    )
+    .map_err(|err| {
+        FunctionCallError::RespondToModel(format!(
+            "failed to derive effective filesystem permissions for apply_patch: {err}"
+        ))
+    })?;
     let effective_additional_permissions = apply_granted_turn_permissions(
         session,
         cwd.as_path(),
         crate::sandboxing::SandboxPermissions::UseDefault,
-        write_permissions_for_paths(&file_paths, &file_system_sandbox_policy, cwd),
+        write_permissions_for_paths(&file_paths, &effective_filesystem_permissions),
     )
     .await;
 
-    (
+    Ok((
         file_paths,
         effective_additional_permissions,
         file_system_sandbox_policy,
-    )
+    ))
 }
 
 #[async_trait::async_trait]
@@ -354,7 +365,7 @@ impl ToolExecutor<ToolInvocation> for ApplyPatchHandler {
             codex_apply_patch::MaybeApplyPatchVerified::Body(changes) => {
                 let (file_paths, effective_additional_permissions, file_system_sandbox_policy) =
                     effective_patch_permissions(session.as_ref(), turn.as_ref(), &changes, &cwd)
-                        .await;
+                        .await?;
                 match apply_patch::apply_patch(turn.as_ref(), &file_system_sandbox_policy, changes)
                     .await
                 {
@@ -506,7 +517,7 @@ pub(crate) async fn intercept_apply_patch(
     {
         codex_apply_patch::MaybeApplyPatchVerified::Body(changes) => {
             let (approval_keys, effective_additional_permissions, file_system_sandbox_policy) =
-                effective_patch_permissions(session.as_ref(), turn.as_ref(), &changes, cwd).await;
+                effective_patch_permissions(session.as_ref(), turn.as_ref(), &changes, cwd).await?;
             match apply_patch::apply_patch(turn.as_ref(), &file_system_sandbox_policy, changes)
                 .await
             {

codex-rs/core/src/tools/handlers/apply_patch_tests.rs

@@ -1,7 +1,9 @@
 use super::*;
 use codex_apply_patch::MaybeApplyPatchVerified;
 use codex_exec_server::LOCAL_FS;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::permissions::FileSystemSandboxPolicy;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_protocol::protocol::FileChange;
 use core_test_support::PathBufExt;
 use core_test_support::PathExt;
@@ -27,6 +29,24 @@ fn sample_patch() -> &'static str {
 *** End Patch"#
 }
 
+fn effective_permissions(
+    sandbox_policy: &FileSystemSandboxPolicy,
+    cwd: &AbsolutePathBuf,
+) -> codex_sandboxing::EffectiveFilesystemPermissions {
+    let permission_profile = PermissionProfile::from_runtime_permissions(
+        sandbox_policy,
+        NetworkSandboxPolicy::Restricted,
+    )
+    .materialize_project_roots_with_workspace_roots(std::slice::from_ref(cwd));
+    codex_sandboxing::EffectiveFilesystemPermissions::from_profile(
+        &permission_profile,
+        codex_sandboxing::FilesystemPermissionsContext {
+            policy_evaluation_cwd: cwd,
+        },
+    )
+    .expect("derive effective filesystem permissions")
+}
+
 async fn invocation_for_payload(payload: ToolPayload) -> ToolInvocation {
     let (session, turn) = make_session_and_context().await;
     ToolInvocation {
@@ -255,8 +275,9 @@ fn write_permissions_for_paths_skip_dirs_already_writable_under_workspace_root()
         /*exclude_tmpdir_env_var*/ true,
         /*exclude_slash_tmp*/ false,
     );
+    let effective_permissions = effective_permissions(&sandbox_policy, &cwd);
 
-    let permissions = write_permissions_for_paths(&[file_path], &sandbox_policy, &cwd);
+    let permissions = write_permissions_for_paths(&[file_path], &effective_permissions);
 
     assert_eq!(permissions, None);
 }
@@ -276,8 +297,9 @@ fn write_permissions_for_paths_keep_dirs_outside_workspace_root() {
         /*exclude_tmpdir_env_var*/ true,
         /*exclude_slash_tmp*/ true,
     );
+    let effective_permissions = effective_permissions(&sandbox_policy, &cwd_abs);
 
-    let permissions = write_permissions_for_paths(&[file_path], &sandbox_policy, &cwd_abs);
+    let permissions = write_permissions_for_paths(&[file_path], &effective_permissions);
     let expected_outside =
         dunce::simplified(&outside.canonicalize().expect("canonicalize outside dir")).abs();
 

codex-rs/sandboxing/src/effective_filesystem_permissions.rs

@@ -0,0 +1,189 @@
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::FileSystemPath;
+use codex_protocol::permissions::FileSystemSandboxKind;
+use codex_protocol::permissions::FileSystemSandboxPolicy;
+use codex_protocol::permissions::FileSystemSpecialPath;
+use codex_protocol::permissions::ReadDenyMatcher;
+use codex_protocol::permissions::project_roots_glob_pattern;
+use codex_protocol::protocol::WritableRoot;
+use codex_utils_absolute_path::AbsolutePathBuf;
+use std::fmt;
+use std::path::Path;
+
+/// Context needed to evaluate an already-materialized filesystem policy.
+pub struct FilesystemPermissionsContext<'a> {
+    /// Resolves cwd-sensitive policy mechanics such as filesystem root and
+    /// relative candidate paths. It is not workspace-root authority.
+    pub policy_evaluation_cwd: &'a AbsolutePathBuf,
+}
+
+/// The outer filesystem access mode represented by effective permissions.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum FilesystemPermissionsMode {
+    Restricted,
+    Unrestricted,
+    External,
+}
+
+/// A deny-read glob retained in effective filesystem enforcement inputs.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct ValidatedDenyGlob {
+    pattern: String,
+}
+
+impl ValidatedDenyGlob {
+    pub fn pattern(&self) -> &str {
+        &self.pattern
+    }
+}
+
+/// Effective filesystem enforcement facts derived from a permission profile.
+///
+/// This internal representation centralizes effective roots, writable carveouts,
+/// protected metadata, and read-deny matching before platform-specific lowering.
+pub struct EffectiveFilesystemPermissions {
+    pub mode: FilesystemPermissionsMode,
+    pub readable_roots: Vec<AbsolutePathBuf>,
+    pub writable_roots: Vec<WritableRoot>,
+    pub unreadable_roots: Vec<AbsolutePathBuf>,
+    pub unreadable_globs: Vec<ValidatedDenyGlob>,
+    pub include_platform_defaults: bool,
+    pub glob_scan_max_depth: Option<usize>,
+    file_system_policy: FileSystemSandboxPolicy,
+    policy_evaluation_cwd: AbsolutePathBuf,
+    read_deny_matcher: Option<ReadDenyMatcher>,
+}
+
+impl fmt::Debug for EffectiveFilesystemPermissions {
+    fn fmt(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
+        formatter
+            .debug_struct("EffectiveFilesystemPermissions")
+            .field("mode", &self.mode)
+            .field("readable_roots", &self.readable_roots)
+            .field("writable_roots", &self.writable_roots)
+            .field("unreadable_roots", &self.unreadable_roots)
+            .field("unreadable_globs", &self.unreadable_globs)
+            .field("include_platform_defaults", &self.include_platform_defaults)
+            .field("glob_scan_max_depth", &self.glob_scan_max_depth)
+            .finish_non_exhaustive()
+    }
+}
+
+impl EffectiveFilesystemPermissions {
+    /// Derives effective filesystem enforcement facts for platform consumers.
+    ///
+    /// Callers must pass an effective `PermissionProfile` after runtime grants and
+    /// runtime workspace roots have been applied. Symbolic workspace-root entries
+    /// are rejected at this boundary rather than resolved from a working directory.
+    pub fn from_profile(
+        permission_profile: &PermissionProfile,
+        context: FilesystemPermissionsContext<'_>,
+    ) -> Result<Self, FilesystemPermissionsError> {
+        let file_system_policy = permission_profile.file_system_sandbox_policy();
+        if contains_unmaterialized_workspace_roots(&file_system_policy) {
+            return Err(FilesystemPermissionsError::UnmaterializedWorkspaceRoots);
+        }
+        // Direct enforcement queries have historically failed closed for malformed
+        // deny patterns. Platform lowering that expands concrete targets can still
+        // validate the patterns before acting on the filesystem.
+        let read_deny_matcher =
+            ReadDenyMatcher::new(&file_system_policy, context.policy_evaluation_cwd.as_path());
+        let mode = match file_system_policy.kind {
+            FileSystemSandboxKind::Restricted => FilesystemPermissionsMode::Restricted,
+            FileSystemSandboxKind::Unrestricted => FilesystemPermissionsMode::Unrestricted,
+            FileSystemSandboxKind::ExternalSandbox => FilesystemPermissionsMode::External,
+        };
+        let readable_roots =
+            file_system_policy.get_readable_roots_with_cwd(context.policy_evaluation_cwd.as_path());
+        let writable_roots =
+            file_system_policy.get_writable_roots_with_cwd(context.policy_evaluation_cwd.as_path());
+        let unreadable_roots = file_system_policy
+            .get_unreadable_roots_with_cwd(context.policy_evaluation_cwd.as_path());
+        let unreadable_globs = file_system_policy
+            .get_unreadable_globs_with_cwd(context.policy_evaluation_cwd.as_path())
+            .into_iter()
+            .map(|pattern| ValidatedDenyGlob { pattern })
+            .collect();
+        let include_platform_defaults = file_system_policy.include_platform_defaults();
+        let glob_scan_max_depth = file_system_policy.glob_scan_max_depth;
+
+        Ok(Self {
+            mode,
+            readable_roots,
+            writable_roots,
+            unreadable_roots,
+            unreadable_globs,
+            include_platform_defaults,
+            glob_scan_max_depth,
+            file_system_policy,
+            policy_evaluation_cwd: context.policy_evaluation_cwd.clone(),
+            read_deny_matcher,
+        })
+    }
+
+    /// Returns whether a read is permitted after applying explicit read denies.
+    pub fn can_read(&self, path: &Path) -> bool {
+        self.file_system_policy
+            .can_read_path_with_cwd(path, self.policy_evaluation_cwd.as_path())
+            && !self.is_read_denied(path)
+    }
+
+    /// Returns whether a write is permitted, including protected metadata rules.
+    pub fn can_write(&self, path: &Path) -> bool {
+        self.file_system_policy
+            .can_write_path_with_cwd(path, self.policy_evaluation_cwd.as_path())
+    }
+
+    /// Returns whether `path` is matched by an explicit deny-read entry.
+    pub fn is_read_denied(&self, path: &Path) -> bool {
+        self.read_deny_matcher
+            .as_ref()
+            .is_some_and(|matcher| matcher.is_read_denied(path))
+    }
+
+    pub fn has_full_disk_read_access(&self) -> bool {
+        self.file_system_policy.has_full_disk_read_access()
+    }
+
+    pub fn has_full_disk_write_access(&self) -> bool {
+        self.file_system_policy.has_full_disk_write_access()
+    }
+}
+
+/// An error deriving filesystem enforcement facts from a permission profile.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum FilesystemPermissionsError {
+    UnmaterializedWorkspaceRoots,
+    InvalidDenyGlob(String),
+}
+
+impl fmt::Display for FilesystemPermissionsError {
+    fn fmt(&self, formatter: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Self::UnmaterializedWorkspaceRoots => formatter.write_str(
+                "effective filesystem permissions require workspace roots to be materialized from runtime workspace roots",
+            ),
+            Self::InvalidDenyGlob(message) => formatter.write_str(message),
+        }
+    }
+}
+
+impl std::error::Error for FilesystemPermissionsError {}
+
+fn contains_unmaterialized_workspace_roots(file_system_policy: &FileSystemSandboxPolicy) -> bool {
+    let workspace_glob_prefix = project_roots_glob_pattern(Path::new(""));
+    file_system_policy
+        .entries
+        .iter()
+        .any(|entry| match &entry.path {
+            FileSystemPath::Special {
+                value: FileSystemSpecialPath::ProjectRoots { .. },
+            } => true,
+            FileSystemPath::GlobPattern { pattern } => pattern.starts_with(&workspace_glob_prefix),
+            FileSystemPath::Path { .. } | FileSystemPath::Special { .. } => false,
+        })
+}
+
+#[cfg(test)]
+#[path = "effective_filesystem_permissions_tests.rs"]
+mod tests;

codex-rs/sandboxing/src/effective_filesystem_permissions_tests.rs

@@ -0,0 +1,279 @@
+use super::EffectiveFilesystemPermissions;
+use super::FilesystemPermissionsContext;
+use super::FilesystemPermissionsError;
+use super::FilesystemPermissionsMode;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::permissions::FileSystemAccessMode;
+use codex_protocol::permissions::FileSystemPath;
+use codex_protocol::permissions::FileSystemSandboxEntry;
+use codex_protocol::permissions::FileSystemSandboxKind;
+use codex_protocol::permissions::FileSystemSandboxPolicy;
+use codex_protocol::permissions::NetworkSandboxPolicy;
+use codex_protocol::permissions::ReadDenyMatcher;
+use codex_protocol::permissions::project_roots_glob_pattern;
+use codex_utils_absolute_path::AbsolutePathBuf;
+use pretty_assertions::assert_eq;
+use std::path::Path;
+use tempfile::TempDir;
+
+fn absolute_path(path: &Path) -> AbsolutePathBuf {
+    AbsolutePathBuf::from_absolute_path(path).expect("absolute path")
+}
+
+fn derive_effective(
+    permission_profile: &PermissionProfile,
+    cwd: &AbsolutePathBuf,
+) -> super::EffectiveFilesystemPermissions {
+    EffectiveFilesystemPermissions::from_profile(
+        permission_profile,
+        FilesystemPermissionsContext {
+            policy_evaluation_cwd: cwd,
+        },
+    )
+    .expect("valid effective filesystem permissions")
+}
+
+fn assert_projected_fields_match_policy(
+    permission_profile: &PermissionProfile,
+    cwd: &AbsolutePathBuf,
+) -> super::EffectiveFilesystemPermissions {
+    let effective = derive_effective(permission_profile, cwd);
+    let policy = permission_profile.file_system_sandbox_policy();
+    let expected_mode = match policy.kind {
+        FileSystemSandboxKind::Restricted => FilesystemPermissionsMode::Restricted,
+        FileSystemSandboxKind::Unrestricted => FilesystemPermissionsMode::Unrestricted,
+        FileSystemSandboxKind::ExternalSandbox => FilesystemPermissionsMode::External,
+    };
+
+    assert_eq!(effective.mode, expected_mode);
+    assert_eq!(
+        effective.readable_roots,
+        policy.get_readable_roots_with_cwd(cwd.as_path())
+    );
+    assert_eq!(
+        effective.writable_roots,
+        policy.get_writable_roots_with_cwd(cwd.as_path())
+    );
+    assert_eq!(
+        effective.unreadable_roots,
+        policy.get_unreadable_roots_with_cwd(cwd.as_path())
+    );
+    assert_eq!(
+        effective
+            .unreadable_globs
+            .iter()
+            .map(|glob| glob.pattern().to_string())
+            .collect::<Vec<_>>(),
+        policy.get_unreadable_globs_with_cwd(cwd.as_path())
+    );
+    assert_eq!(
+        effective.include_platform_defaults,
+        policy.include_platform_defaults()
+    );
+    assert_eq!(effective.glob_scan_max_depth, policy.glob_scan_max_depth);
+    assert_eq!(
+        effective.has_full_disk_read_access(),
+        policy.has_full_disk_read_access()
+    );
+    assert_eq!(
+        effective.has_full_disk_write_access(),
+        policy.has_full_disk_write_access()
+    );
+
+    effective
+}
+
+#[test]
+fn effective_access_modes_preserve_builtin_profile_semantics() {
+    let temp_dir = TempDir::new().expect("temp dir");
+    let cwd = absolute_path(temp_dir.path());
+
+    let read_only = assert_projected_fields_match_policy(&PermissionProfile::read_only(), &cwd);
+    assert_eq!(read_only.mode, FilesystemPermissionsMode::Restricted);
+    assert_eq!(read_only.can_read(cwd.as_path()), true);
+    assert_eq!(read_only.can_write(cwd.as_path()), false);
+
+    let unrestricted = assert_projected_fields_match_policy(&PermissionProfile::Disabled, &cwd);
+    assert_eq!(unrestricted.mode, FilesystemPermissionsMode::Unrestricted);
+    assert_eq!(unrestricted.can_write(cwd.as_path()), true);
+
+    let external = assert_projected_fields_match_policy(
+        &PermissionProfile::External {
+            network: NetworkSandboxPolicy::Restricted,
+        },
+        &cwd,
+    );
+    assert_eq!(external.mode, FilesystemPermissionsMode::External);
+    assert_eq!(external.has_full_disk_write_access(), true);
+}
+
+#[test]
+fn effective_workspace_permissions_reject_unmaterialized_runtime_workspace_roots() {
+    let temp_dir = TempDir::new().expect("temp dir");
+    let cwd = absolute_path(temp_dir.path());
+    let unresolved_exact = PermissionProfile::workspace_write();
+    let unresolved_glob_policy =
+        FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
+            path: FileSystemPath::GlobPattern {
+                pattern: project_roots_glob_pattern(Path::new("**/*.env")),
+            },
+            access: FileSystemAccessMode::Deny,
+        }]);
+    let unresolved_glob = PermissionProfile::from_runtime_permissions(
+        &unresolved_glob_policy,
+        NetworkSandboxPolicy::Restricted,
+    );
+
+    for profile in [&unresolved_exact, &unresolved_glob] {
+        let error = EffectiveFilesystemPermissions::from_profile(
+            profile,
+            FilesystemPermissionsContext {
+                policy_evaluation_cwd: &cwd,
+            },
+        )
+        .expect_err("unresolved runtime workspace roots should fail");
+        assert_eq!(
+            error,
+            FilesystemPermissionsError::UnmaterializedWorkspaceRoots
+        );
+    }
+}
+
+#[test]
+fn effective_workspace_permissions_preserve_materialized_workspace_roots() {
+    let temp_dir = TempDir::new().expect("temp dir");
+    let cwd = absolute_path(temp_dir.path());
+    let first_root = cwd.join("first");
+    let second_root = cwd.join("second");
+    let permission_profile = PermissionProfile::workspace_write()
+        .materialize_project_roots_with_workspace_roots(&[first_root.clone(), second_root.clone()]);
+    let effective = assert_projected_fields_match_policy(&permission_profile, &cwd);
+
+    assert_eq!(effective.can_write(first_root.join("src").as_path()), true);
+    assert_eq!(effective.can_write(second_root.join("src").as_path()), true);
+}
+
+#[test]
+fn effective_permissions_preserve_nested_carveouts_and_read_denies() {
+    let temp_dir = TempDir::new().expect("temp dir");
+    let cwd = absolute_path(temp_dir.path());
+    let workspace = cwd.join("workspace");
+    let read_only_child = workspace.join("generated");
+    let denied_child = workspace.join("private");
+    let policy = FileSystemSandboxPolicy::restricted(vec![
+        FileSystemSandboxEntry {
+            path: FileSystemPath::Path {
+                path: workspace.clone(),
+            },
+            access: FileSystemAccessMode::Write,
+        },
+        FileSystemSandboxEntry {
+            path: FileSystemPath::Path {
+                path: read_only_child.clone(),
+            },
+            access: FileSystemAccessMode::Read,
+        },
+        FileSystemSandboxEntry {
+            path: FileSystemPath::Path {
+                path: denied_child.clone(),
+            },
+            access: FileSystemAccessMode::Deny,
+        },
+    ]);
+    let permission_profile =
+        PermissionProfile::from_runtime_permissions(&policy, NetworkSandboxPolicy::Restricted);
+    let effective = assert_projected_fields_match_policy(&permission_profile, &cwd);
+
+    assert_eq!(
+        effective.can_write(workspace.join("file.txt").as_path()),
+        true
+    );
+    assert_eq!(
+        effective.can_write(read_only_child.join("file.txt").as_path()),
+        false
+    );
+    assert_eq!(effective.can_write(workspace.join(".git").as_path()), false);
+    assert_eq!(
+        effective.can_read(denied_child.join("secret.txt").as_path()),
+        false
+    );
+}
+
+#[cfg(unix)]
+#[test]
+fn effective_permissions_preserve_symlinked_writable_roots() {
+    let temp_dir = TempDir::new().expect("temp dir");
+    let cwd = absolute_path(temp_dir.path());
+    let target = cwd.join("target");
+    let link = cwd.join("linked-workspace");
+    std::fs::create_dir_all(target.as_path()).expect("create target");
+    std::os::unix::fs::symlink(target.as_path(), link.as_path()).expect("create symlink");
+    let policy = FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
+        path: FileSystemPath::Path { path: link.clone() },
+        access: FileSystemAccessMode::Write,
+    }]);
+    let permission_profile =
+        PermissionProfile::from_runtime_permissions(&policy, NetworkSandboxPolicy::Restricted);
+    let effective = assert_projected_fields_match_policy(&permission_profile, &cwd);
+
+    assert_eq!(
+        effective.can_write(link.join("file.txt").as_path()),
+        policy.can_write_path_with_cwd(link.join("file.txt").as_path(), cwd.as_path())
+    );
+}
+
+#[test]
+fn effective_permissions_preserve_accepted_deny_glob_matching() {
+    let temp_dir = TempDir::new().expect("temp dir");
+    let cwd = absolute_path(temp_dir.path());
+    let pattern = cwd.join("secret[.txt").to_string_lossy().into_owned();
+    let denied_path = cwd.join("secret[.txt");
+    let policy = FileSystemSandboxPolicy::restricted(vec![
+        FileSystemSandboxEntry {
+            path: FileSystemPath::Path { path: cwd.clone() },
+            access: FileSystemAccessMode::Read,
+        },
+        FileSystemSandboxEntry {
+            path: FileSystemPath::GlobPattern { pattern },
+            access: FileSystemAccessMode::Deny,
+        },
+    ]);
+    let permission_profile =
+        PermissionProfile::from_runtime_permissions(&policy, NetworkSandboxPolicy::Restricted);
+    let effective = assert_projected_fields_match_policy(&permission_profile, &cwd);
+    let current_matcher = ReadDenyMatcher::try_new(&policy, cwd.as_path())
+        .expect("accepted pattern")
+        .expect("deny matcher");
+
+    assert_eq!(effective.is_read_denied(denied_path.as_path()), true);
+    assert_eq!(
+        effective.is_read_denied(denied_path.as_path()),
+        current_matcher.is_read_denied(denied_path.as_path())
+    );
+    assert_eq!(effective.can_read(denied_path.as_path()), false);
+}
+
+#[test]
+fn effective_permissions_fail_closed_for_malformed_deny_globs() {
+    let temp_dir = TempDir::new().expect("temp dir");
+    let cwd = absolute_path(temp_dir.path());
+    let readable_path = cwd.join("readable.txt");
+    let policy = FileSystemSandboxPolicy::restricted(vec![
+        FileSystemSandboxEntry {
+            path: FileSystemPath::Path { path: cwd.clone() },
+            access: FileSystemAccessMode::Read,
+        },
+        FileSystemSandboxEntry {
+            path: FileSystemPath::GlobPattern {
+                pattern: format!("{}/**/[z-a]", cwd.as_path().display()),
+            },
+            access: FileSystemAccessMode::Deny,
+        },
+    ]);
+    let permission_profile =
+        PermissionProfile::from_runtime_permissions(&policy, NetworkSandboxPolicy::Restricted);
+    let effective = derive_effective(&permission_profile, &cwd);
+
+    assert_eq!(effective.is_read_denied(readable_path.as_path()), true);
+    assert_eq!(effective.can_read(readable_path.as_path()), false);
+}

codex-rs/sandboxing/src/lib.rs

@@ -1,5 +1,6 @@
 #[cfg(target_os = "linux")]
 mod bwrap;
+mod effective_filesystem_permissions;
 pub mod landlock;
 mod manager;
 pub mod policy_transforms;
@@ -10,6 +11,11 @@ pub mod seatbelt;
 pub use bwrap::find_system_bwrap_in_path;
 #[cfg(target_os = "linux")]
 pub use bwrap::system_bwrap_warning;
+pub use effective_filesystem_permissions::EffectiveFilesystemPermissions;
+pub use effective_filesystem_permissions::FilesystemPermissionsContext;
+pub use effective_filesystem_permissions::FilesystemPermissionsError;
+pub use effective_filesystem_permissions::FilesystemPermissionsMode;
+pub use effective_filesystem_permissions::ValidatedDenyGlob;
 pub use manager::SandboxCommand;
 pub use manager::SandboxExecRequest;
 pub use manager::SandboxManager;
@@ -35,6 +41,12 @@ impl From<SandboxTransformError> for CodexErr {
             SandboxTransformError::MissingLinuxSandboxExecutable => {
                 CodexErr::LandlockSandboxExecutableNotProvided
             }
+            SandboxTransformError::InvalidPermissionProfileCwd(message) => {
+                CodexErr::UnsupportedOperation(message)
+            }
+            SandboxTransformError::EffectiveFilesystemPermissions(err) => {
+                CodexErr::UnsupportedOperation(err.to_string())
+            }
             #[cfg(target_os = "linux")]
             SandboxTransformError::Wsl1UnsupportedForBubblewrap => {
                 CodexErr::UnsupportedOperation(crate::bwrap::WSL1_BWRAP_WARNING.to_string())

codex-rs/sandboxing/src/manager.rs

@@ -1,3 +1,6 @@
+use crate::EffectiveFilesystemPermissions;
+use crate::FilesystemPermissionsContext;
+use crate::FilesystemPermissionsError;
 #[cfg(target_os = "linux")]
 use crate::bwrap::WSL1_BWRAP_WARNING;
 #[cfg(target_os = "linux")]
@@ -80,6 +83,7 @@ pub struct SandboxExecRequest {
     pub windows_sandbox_level: WindowsSandboxLevel,
     pub windows_sandbox_private_desktop: bool,
     pub permission_profile: PermissionProfile,
+    pub effective_filesystem_permissions: EffectiveFilesystemPermissions,
     pub file_system_sandbox_policy: FileSystemSandboxPolicy,
     pub network_sandbox_policy: NetworkSandboxPolicy,
     pub arg0: Option<String>,
@@ -106,6 +110,8 @@ pub struct SandboxTransformRequest<'a> {
 #[derive(Debug)]
 pub enum SandboxTransformError {
     MissingLinuxSandboxExecutable,
+    InvalidPermissionProfileCwd(String),
+    EffectiveFilesystemPermissions(FilesystemPermissionsError),
     #[cfg(target_os = "linux")]
     Wsl1UnsupportedForBubblewrap,
     #[cfg(not(target_os = "macos"))]
@@ -118,6 +124,8 @@ impl std::fmt::Display for SandboxTransformError {
             Self::MissingLinuxSandboxExecutable => {
                 write!(f, "missing codex-linux-sandbox executable path")
             }
+            Self::InvalidPermissionProfileCwd(message) => f.write_str(message),
+            Self::EffectiveFilesystemPermissions(err) => write!(f, "{err}"),
             #[cfg(target_os = "linux")]
             Self::Wsl1UnsupportedForBubblewrap => write!(f, "{WSL1_BWRAP_WARNING}"),
             #[cfg(not(target_os = "macos"))]
@@ -186,6 +194,15 @@ impl SandboxManager {
             effective_permission_profile(permissions, additional_permissions.as_ref());
         let (effective_file_system_policy, effective_network_policy) =
             effective_permission_profile.to_runtime_permissions();
+        let policy_evaluation_cwd = AbsolutePathBuf::from_absolute_path(sandbox_policy_cwd)
+            .map_err(|err| SandboxTransformError::InvalidPermissionProfileCwd(err.to_string()))?;
+        let effective_filesystem_permissions = EffectiveFilesystemPermissions::from_profile(
+            &effective_permission_profile,
+            FilesystemPermissionsContext {
+                policy_evaluation_cwd: &policy_evaluation_cwd,
+            },
+        )
+        .map_err(SandboxTransformError::EffectiveFilesystemPermissions)?;
         let mut argv = Vec::with_capacity(1 + command.args.len());
         argv.push(command.program);
         argv.extend(command.args.into_iter().map(OsString::from));
@@ -253,6 +270,7 @@ impl SandboxManager {
             windows_sandbox_level,
             windows_sandbox_private_desktop,
             permission_profile: effective_permission_profile,
+            effective_filesystem_permissions,
             file_system_sandbox_policy: effective_file_system_policy,
             network_sandbox_policy: effective_network_policy,
             arg0: arg0_override,

codex-rs/sandboxing/src/manager_tests.rs

@@ -217,6 +217,18 @@ fn transform_additional_permissions_preserves_denied_entries() {
         })
         .expect("transform");
 
+    assert_eq!(
+        exec_request
+            .effective_filesystem_permissions
+            .can_write(allowed_path.as_path()),
+        true
+    );
+    assert_eq!(
+        exec_request
+            .effective_filesystem_permissions
+            .can_read(denied_path.as_path()),
+        false
+    );
     assert_eq!(
         exec_request.file_system_sandbox_policy,
         FileSystemSandboxPolicy::restricted(vec![