mirror of
https://github.com/openai/codex.git
synced 2026-04-25 07:05:38 +00:00
adca2d9f40
## What
This change introduces a new `ReadOnlyAccess` model and threads it through
sandbox policy consumers so read access is explicit instead of implicit.
- Added `ReadOnlyAccess` to protocol:
- `Restricted { include_platform_defaults, readable_roots }`
- `FullAccess`
- Changed `SandboxPolicy` shape:
- `ReadOnly` is now `ReadOnly { access: ReadOnlyAccess }`
- `WorkspaceWrite` now carries `read_only_access: ReadOnlyAccess`
- Kept existing behavior for now by defaulting to `ReadOnlyAccess::FullAccess`
in constructors and current config/app-server mappings.
- Added helper methods to compute effective readable roots (including optional
platform defaults + cwd) and to detect full read access.
- Updated seatbelt policy generation to honor restricted read roots by emitting
scoped `(allow file-read* ...)` entries when full read access is not granted.
- Updated Linux backends (`bwrap`, legacy landlock path) to fail closed with an
explicit `UnsupportedOperation` when restricted read access is requested but
not yet implemented there.
- Updated Windows sandbox backends (standard, elevated, and runner paths) to
fail closed in the same way for restricted read access.
- Updated all call sites/tests/pattern matches for the new structured variants
and regenerated app-server protocol schema/types.
## Why
The previous `SandboxPolicy::ReadOnly` implied full-disk read access and left
no way to express a narrower read surface.
This refactor establishes the policy model needed to support user-configurable
read restrictions in a follow-up without changing current runtime behavior.
It also ensures we do not silently ignore future restricted-read policies on
platform backends that do not support them yet. Failing closed keeps sandbox
semantics predictable and avoids accidental over-permission.
## Compatibility and rollout notes
- Existing behavior is preserved by default (`FullAccess`).
- Existing config/app-server flows continue to serialize/deserialize cleanly.
- New schema artifacts are included to keep generated protocol outputs in sync.
## Validation
- `just fmt`
- `just fix -p codex-protocol -p codex-core -p codex-linux-sandbox -p codex-windows-sandbox -p codex-app-server-protocol`
- `cargo check -p codex-windows-sandbox`
- Targeted crate/test runs were executed during development for protocol/core/
sandbox-related crates.
225 lines
6.9 KiB
JSON
225 lines
6.9 KiB
JSON
{
|
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
"definitions": {
|
|
"AbsolutePathBuf": {
|
|
"description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
|
|
"type": "string"
|
|
},
|
|
"NetworkAccess": {
|
|
"description": "Represents whether outbound network access is available to the agent.",
|
|
"enum": [
|
|
"restricted",
|
|
"enabled"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"ReadOnlyAccess": {
|
|
"description": "Determines how read-only file access is granted inside a restricted sandbox.",
|
|
"oneOf": [
|
|
{
|
|
"description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
|
|
"properties": {
|
|
"include_platform_defaults": {
|
|
"default": true,
|
|
"description": "Include built-in platform read roots required for basic process execution.",
|
|
"type": "boolean"
|
|
},
|
|
"readable_roots": {
|
|
"description": "Additional absolute roots that should be readable.",
|
|
"items": {
|
|
"$ref": "#/definitions/AbsolutePathBuf"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"restricted"
|
|
],
|
|
"title": "RestrictedReadOnlyAccessType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "RestrictedReadOnlyAccess",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"description": "Allow unrestricted file reads.",
|
|
"properties": {
|
|
"type": {
|
|
"enum": [
|
|
"full-access"
|
|
],
|
|
"title": "FullAccessReadOnlyAccessType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "FullAccessReadOnlyAccess",
|
|
"type": "object"
|
|
}
|
|
]
|
|
},
|
|
"SandboxPolicy": {
|
|
"description": "Determines execution restrictions for model shell commands.",
|
|
"oneOf": [
|
|
{
|
|
"description": "No restrictions whatsoever. Use with caution.",
|
|
"properties": {
|
|
"type": {
|
|
"enum": [
|
|
"danger-full-access"
|
|
],
|
|
"title": "DangerFullAccessSandboxPolicyType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "DangerFullAccessSandboxPolicy",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"description": "Read-only access configuration.",
|
|
"properties": {
|
|
"access": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/ReadOnlyAccess"
|
|
}
|
|
],
|
|
"description": "Read access granted while running under this policy."
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"read-only"
|
|
],
|
|
"title": "ReadOnlySandboxPolicyType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "ReadOnlySandboxPolicy",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"description": "Indicates the process is already in an external sandbox. Allows full disk access while honoring the provided network setting.",
|
|
"properties": {
|
|
"network_access": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/NetworkAccess"
|
|
}
|
|
],
|
|
"default": "restricted",
|
|
"description": "Whether the external sandbox permits outbound network traffic."
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"external-sandbox"
|
|
],
|
|
"title": "ExternalSandboxSandboxPolicyType",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "ExternalSandboxSandboxPolicy",
|
|
"type": "object"
|
|
},
|
|
{
|
|
"description": "Same as `ReadOnly` but additionally grants write access to the current working directory (\"workspace\").",
|
|
"properties": {
|
|
"exclude_slash_tmp": {
|
|
"default": false,
|
|
"description": "When set to `true`, will NOT include the `/tmp` among the default writable roots on UNIX. Defaults to `false`.",
|
|
"type": "boolean"
|
|
},
|
|
"exclude_tmpdir_env_var": {
|
|
"default": false,
|
|
"description": "When set to `true`, will NOT include the per-user `TMPDIR` environment variable among the default writable roots. Defaults to `false`.",
|
|
"type": "boolean"
|
|
},
|
|
"network_access": {
|
|
"default": false,
|
|
"description": "When set to `true`, outbound network access is allowed. `false` by default.",
|
|
"type": "boolean"
|
|
},
|
|
"read_only_access": {
|
|
"allOf": [
|
|
{
|
|
"$ref": "#/definitions/ReadOnlyAccess"
|
|
}
|
|
],
|
|
"description": "Read access granted while running under this policy."
|
|
},
|
|
"type": {
|
|
"enum": [
|
|
"workspace-write"
|
|
],
|
|
"title": "WorkspaceWriteSandboxPolicyType",
|
|
"type": "string"
|
|
},
|
|
"writable_roots": {
|
|
"description": "Additional folders (beyond cwd and possibly TMPDIR) that should be writable from within the sandbox.",
|
|
"items": {
|
|
"$ref": "#/definitions/AbsolutePathBuf"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"required": [
|
|
"type"
|
|
],
|
|
"title": "WorkspaceWriteSandboxPolicy",
|
|
"type": "object"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"properties": {
|
|
"command": {
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"cwd": {
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
},
|
|
"sandboxPolicy": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/definitions/SandboxPolicy"
|
|
},
|
|
{
|
|
"type": "null"
|
|
}
|
|
]
|
|
},
|
|
"timeoutMs": {
|
|
"format": "uint64",
|
|
"minimum": 0.0,
|
|
"type": [
|
|
"integer",
|
|
"null"
|
|
]
|
|
}
|
|
},
|
|
"required": [
|
|
"command"
|
|
],
|
|
"title": "ExecOneOffCommandParams",
|
|
"type": "object"
|
|
} |