mirror of
https://github.com/openai/codex.git
synced 2026-04-26 15:45:02 +00:00
3d2f123895
## Why #18274 made `PermissionProfile` the canonical file-system permissions shape, but the round-trip from `FileSystemSandboxPolicy` to `PermissionProfile` still dropped one piece of policy metadata: `glob_scan_max_depth`. That field is security-relevant for deny-read globs such as `**/*.env`. On Linux, bubblewrap sandbox construction uses it to bound unreadable glob expansion. If a profile copied from active runtime permissions loses this value and is submitted back as an override, the resulting `FileSystemSandboxPolicy` can behave differently even though the visible permission entries look equivalent. ## What changed - Add `glob_scan_max_depth` to protocol `FileSystemPermissions` and preserve it when converting to/from `FileSystemSandboxPolicy`. - Keep legacy `read`/`write` JSON for simple path-only permissions, but force canonical JSON when glob scan depth is present so the metadata is not silently dropped. - Carry `globScanMaxDepth` through app-server `AdditionalFileSystemPermissions`, generated JSON/TypeScript schemas, and app-server/TUI conversion call sites. - Preserve the metadata through sandboxing permission normalization, merging, and intersection. - Carry the merged scan depth into the effective `FileSystemSandboxPolicy` used for command execution, so bounded deny-read globs reach Linux bubblewrap materialization. ## Verification - `cargo test -p codex-sandboxing glob_scan -- --nocapture` - `cargo test -p codex-sandboxing policy_transforms -- --nocapture` - `just fix -p codex-sandboxing` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/18713). * #18288 * #18287 * #18286 * #18285 * #18284 * #18283 * #18282 * #18281 * #18280 * #18279 * #18278 * #18277 * #18276 * #18275 * __->__ #18713
321 lines
7.0 KiB
JSON
Generated
321 lines
7.0 KiB
JSON
Generated
{
|
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
"definitions": {
|
|
"AbsolutePathBuf": {
|
|
"description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
|
|
"type": "string"
|
|
},
|
|
"AdditionalFileSystemPermissions": {
|
|
"properties": {
|
|
"entries": {
|
|
"items": {
|
|
"$ref": "#/definitions/FileSystemSandboxEntry"
|
|
},
|
|
"type": [
|
|
"array",
|
|
"null"
|
|
]
|
|
},
|
|
"globScanMaxDepth": {
|
|
"format": "uint",
|
|
"minimum": 1.0,
|
|
"type": [
|
|
"integer",
|
|
"null"
|
|
]
|
|
},
|
|
"read": {
|
|
"items": {
|
|
"$ref": "#/definitions/AbsolutePathBuf"
|
|
},
|
|
"type": [
|
|
"array",
|
|
"null"
|
|
]
|
|
},
|
|
"write": {
|
|
"items": {
|
|
"$ref": "#/definitions/AbsolutePathBuf"
|
|
},
|
|
"type": [
|
|
"array",
|
|
"null"
|
|
]
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"AdditionalNetworkPermissions": {
|
|
"properties": {
|
|
"enabled": {
|
|
"type": [
|
|
"boolean",
|
|
"null"
|
|
]
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"FileSystemAccessMode": {
|
|
"enum": [
|
|
"read",
|
|
"write",
|
|
"none"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"FileSystemPath": {
|
|
"oneOf": [
|
|
{
|
|
"properties": {
|
|
"path": {
|
|
"$ref": "#/definitions/AbsolutePathBuf"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"path"
|
|
],
|
|
"title": "PathFileSystemPathType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"path",
|
|
"type"
|
|
],
|
|
"title": "PathFileSystemPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"pattern": {
|
|
"type": "string"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"glob_pattern"
|
|
],
|
|
"title": "GlobPatternFileSystemPathType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"pattern",
|
|
"type"
|
|
],
|
|
"title": "GlobPatternFileSystemPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"type": {
|
|
"enum": [
|
|
"special"
|
|
],
|
|
"title": "SpecialFileSystemPathType",
|
|
"type": "string"
|
|
},
|
|
"value": {
|
|
"$ref": "#/definitions/FileSystemSpecialPath"
|
|
}
|
|
},
|
|
"required": [
|
|
"type",
|
|
"value"
|
|
],
|
|
"title": "SpecialFileSystemPath",
|
|
"type": "object"
|
|
}
|
|
]
|
|
},
|
|
"FileSystemSandboxEntry": {
|
|
"properties": {
|
|
"access": {
|
|
"$ref": "#/definitions/FileSystemAccessMode"
|
|
},
|
|
"path": {
|
|
"$ref": "#/definitions/FileSystemPath"
|
|
}
|
|
},
|
|
"required": [
|
|
"access",
|
|
"path"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"FileSystemSpecialPath": {
|
|
"oneOf": [
|
|
{
|
|
"properties": {
|
|
"kind": {
|
|
"enum": [
|
|
"root"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kind"
|
|
],
|
|
"title": "RootFileSystemSpecialPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"kind": {
|
|
"enum": [
|
|
"minimal"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kind"
|
|
],
|
|
"title": "MinimalFileSystemSpecialPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"kind": {
|
|
"enum": [
|
|
"current_working_directory"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kind"
|
|
],
|
|
"title": "CurrentWorkingDirectoryFileSystemSpecialPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"kind": {
|
|
"enum": [
|
|
"project_roots"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"subpath": {
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
}
|
|
},
|
|
"required": [
|
|
"kind"
|
|
],
|
|
"title": "KindFileSystemSpecialPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"kind": {
|
|
"enum": [
|
|
"tmpdir"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kind"
|
|
],
|
|
"title": "TmpdirFileSystemSpecialPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"kind": {
|
|
"enum": [
|
|
"slash_tmp"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kind"
|
|
],
|
|
"title": "SlashTmpFileSystemSpecialPath",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"properties": {
|
|
"kind": {
|
|
"enum": [
|
|
"unknown"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"path": {
|
|
"type": "string"
|
|
},
|
|
"subpath": {
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
}
|
|
},
|
|
"required": [
|
|
"kind",
|
|
"path"
|
|
],
|
|
"type": "object"
|
|
}
|
|
]
|
|
},
|
|
"GrantedPermissionProfile": {
|
|
"properties": {
|
|
"fileSystem": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/AdditionalFileSystemPermissions"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
]
|
|
},
|
|
"network": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/AdditionalNetworkPermissions"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"PermissionGrantScope": {
|
|
"enum": [
|
|
"turn",
|
|
"session"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"properties": {
|
|
"permissions": {
|
|
"$ref": "#/definitions/GrantedPermissionProfile"
|
|
},
|
|
"scope": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/PermissionGrantScope"
|
|
}
|
|
],
|
|
"default": "turn"
|
|
}
|
|
},
|
|
"required": [
|
|
"permissions"
|
|
],
|
|
"title": "PermissionsRequestApprovalResponse",
|
|
"type": "object"
|
|
} |