feat: redesign sandbox config (#1373)

This is a major redesign of how sandbox configuration works and aims to fix https://github.com/openai/codex/issues/1248. Specifically, it replaces `sandbox_permissions` in `config.toml` (and the `-s`/`--sandbox-permission` CLI flags) with a "table" with effectively three variants: ```toml # Safest option: full disk is read-only, but writes and network access are disallowed. [sandbox] mode = "read-only" # The cwd of the Codex task is writable, as well as $TMPDIR on macOS. # writable_roots can be used to specify additional writable folders. [sandbox] mode = "workspace-write" writable_roots = [] # Optional, defaults to the empty list. network_access = false # Optional, defaults to false. # Disable sandboxing: use at your own risk!!! [sandbox] mode = "danger-full-access" ``` This should make sandboxing easier to reason about. While we have dropped support for `-s`, the way it works now is: - no flags => `read-only` - `--full-auto` => `workspace-write` - currently, there is no way to specify `danger-full-access` via a CLI flag, but we will revisit that as part of https://github.com/openai/codex/issues/1254 Outstanding issue: - As noted in the `TODO` on `SandboxPolicy::is_unrestricted()`, we are still conflating sandbox preferences with approval preferences in that case, which needs to be cleaned up.
2025-06-24 16:59:47 -07:00
parent ed5e848f3e
commit 0776d78357
17 changed files with 197 additions and 489 deletions
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -225,41 +225,20 @@ fn create_linux_sandbox_command_args(
    sandbox_policy: &SandboxPolicy,
    cwd: &Path,
 ) -> Vec<String> {
-    let mut linux_cmd: Vec<String> = vec![];
+    #[expect(clippy::expect_used)]
+    let sandbox_policy_cwd = cwd.to_str().expect("cwd must be valid UTF-8").to_string();

-    // Translate individual permissions.
-    // Use high-level helper methods to infer flags when we cannot see the
-    // exact permission list.
-    if sandbox_policy.has_full_disk_read_access() {
-        linux_cmd.extend(["-s", "disk-full-read-access"].map(String::from));
-    }
+    #[expect(clippy::expect_used)]
+    let sandbox_policy_json =
+        serde_json::to_string(sandbox_policy).expect("Failed to serialize SandboxPolicy to JSON");

-    if sandbox_policy.has_full_disk_write_access() {
-        linux_cmd.extend(["-s", "disk-full-write-access"].map(String::from));
-    } else {
-        // Derive granular writable paths (includes cwd if `DiskWriteCwd` is
-        // present).
-        for root in sandbox_policy.get_writable_roots_with_cwd(cwd) {
-            // Check if this path corresponds exactly to cwd to map to
-            // `disk-write-cwd`, otherwise use the generic folder rule.
-            if root == cwd {
-                linux_cmd.extend(["-s", "disk-write-cwd"].map(String::from));
-            } else {
-                linux_cmd.extend([
-                    "-s".to_string(),
-                    format!("disk-write-folder={}", root.to_string_lossy()),
-                ]);
-            }
-        }
-    }
-
-    if sandbox_policy.has_full_network_access() {
-        linux_cmd.extend(["-s", "network-full-access"].map(String::from));
-    }
-
-    // Separator so that command arguments starting with `-` are not parsed as
-    // options of the helper itself.
-    linux_cmd.push("--".to_string());
+    let mut linux_cmd: Vec<String> = vec![
+        sandbox_policy_cwd,
+        sandbox_policy_json,
+        // Separator so that command arguments starting with `-` are not parsed as
+        // options of the helper itself.
+        "--".to_string(),
+    ];

    // Append the original tool command.
    linux_cmd.extend(command);