Michael Bolin 6e10142199 fix: preserve deny-read sandboxing for safe commands (#23943) ...

## Why

Permission profiles can mark filesystem entries as unreadable with
`deny` rules, including glob patterns. Several shell execution paths
treated known-safe commands or execpolicy `allow` rules as sufficient to
run outside the filesystem sandbox. That is not valid for read-capable
commands: for example, `cat` or `ls` may be reasonable to allow
generally, but dropping the sandbox would also drop deny-read
constraints such as `**/*.env`.

## What changed

- Added a shared check that treats active deny-read restrictions as
incompatible with unsandboxed execution.
- Kept first-attempt execution sandboxed for explicit escalation and
execpolicy allow bypasses when deny-read entries are present.
- Prevented no-sandbox retry after a sandbox denial when the active
filesystem policy contains deny-read entries.
- Updated the zsh-fork execve path so prefix-rule `allow` decisions
continue inside the current sandbox when deny-read restrictions are
active.

## Verification

- `cargo test -p codex-core tools::sandboxing::tests`
- `cargo test -p codex-core
tools::runtimes::shell::unix_escalation::tests`
- `cargo test -p codex-core
shell_command_enforces_glob_deny_read_policy`

2026-05-28 22:49:37 -07:00

..

common

[codex] Support ui visibility meta for tools (#24700)

2026-05-28 10:24:03 -07:00

suite

fix: preserve deny-read sandboxing for safe commands (#23943)

2026-05-28 22:49:37 -07:00

all.rs

remove temporary ownership re-exports (#16626)

2026-04-03 00:33:34 -07:00

responses_headers.rs

[codex] request desktop attestation from app (#20619)

2026-05-08 12:36:02 -07:00