feat: redesign sandbox config (#1373)

This is a major redesign of how sandbox configuration works and aims to
fix https://github.com/openai/codex/issues/1248. Specifically, it
replaces `sandbox_permissions` in `config.toml` (and the
`-s`/`--sandbox-permission` CLI flags) with a "table" with effectively
three variants:

```toml
# Safest option: full disk is read-only, but writes and network access are disallowed.
[sandbox]
mode = "read-only"

# The cwd of the Codex task is writable, as well as $TMPDIR on macOS.
# writable_roots can be used to specify additional writable folders.
[sandbox]
mode = "workspace-write"
writable_roots = []  # Optional, defaults to the empty list.
network_access = false  # Optional, defaults to false.

# Disable sandboxing: use at your own risk!!!
[sandbox]
mode = "danger-full-access"
```

This should make sandboxing easier to reason about. While we have
dropped support for `-s`, the way it works now is:

- no flags => `read-only`
- `--full-auto` => `workspace-write`
- currently, there is no way to specify `danger-full-access` via a CLI
flag, but we will revisit that as part of
https://github.com/openai/codex/issues/1254

Outstanding issue:

- As noted in the `TODO` on `SandboxPolicy::is_unrestricted()`, we are
still conflating sandbox preferences with approval preferences in that
case, which needs to be cleaned up.

codex-rs/linux-sandbox/Cargo.toml

@@ -15,15 +15,9 @@ path = "src/lib.rs"
 workspace = true
 
 [dependencies]
+anyhow = "1"
 clap = { version = "4", features = ["derive"] }
 codex-core = { path = "../core" }
-codex-common = { path = "../common", features = ["cli"] }
-
-# Used for error handling in the helper that unifies runtime dispatch across
-# binaries.
-anyhow = "1"
-# Required to construct a Tokio runtime for async execution of the caller's
-# entry-point.
 tokio = { version = "1", features = ["rt-multi-thread"] }
 
 [dev-dependencies]

codex-rs/linux-sandbox/src/linux_run_main.rs

@@ -1,13 +1,16 @@
 use clap::Parser;
-use codex_common::SandboxPermissionOption;
 use std::ffi::CString;
+use std::path::PathBuf;
 
 use crate::landlock::apply_sandbox_policy_to_current_thread;
 
 #[derive(Debug, Parser)]
 pub struct LandlockCommand {
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
+    /// It is possible that the cwd used in the context of the sandbox policy
+    /// is different from the cwd of the process to spawn.
+    pub sandbox_policy_cwd: PathBuf,
+
+    pub sandbox_policy: codex_core::protocol::SandboxPolicy,
 
     /// Full command args to run under landlock.
     #[arg(trailing_var_arg = true)]
@@ -15,21 +18,13 @@ pub struct LandlockCommand {
 }
 
 pub fn run_main() -> ! {
-    let LandlockCommand { sandbox, command } = LandlockCommand::parse();
+    let LandlockCommand {
+        sandbox_policy_cwd,
+        sandbox_policy,
+        command,
+    } = LandlockCommand::parse();
 
-    let sandbox_policy = match sandbox.permissions.map(Into::into) {
-        Some(sandbox_policy) => sandbox_policy,
-        None => codex_core::protocol::SandboxPolicy::new_read_only_policy(),
-    };
-
-    let cwd = match std::env::current_dir() {
-        Ok(cwd) => cwd,
-        Err(e) => {
-            panic!("failed to getcwd(): {e:?}");
-        }
-    };
-
-    if let Err(e) = apply_sandbox_policy_to_current_thread(&sandbox_policy, &cwd) {
+    if let Err(e) = apply_sandbox_policy_to_current_thread(&sandbox_policy, &sandbox_policy_cwd) {
         panic!("error running landlock: {e:?}");
     }
 

codex-rs/linux-sandbox/tests/landlock.rs

@@ -46,7 +46,10 @@ async fn run_cmd(cmd: &[&str], writable_roots: &[PathBuf], timeout_ms: u64) {
         env: create_env_from_core_vars(),
     };
 
-    let sandbox_policy = SandboxPolicy::new_read_only_policy_with_writable_roots(writable_roots);
+    let sandbox_policy = SandboxPolicy::WorkspaceWrite {
+        writable_roots: writable_roots.to_vec(),
+        network_access: false,
+    };
     let sandbox_program = env!("CARGO_BIN_EXE_codex-linux-sandbox");
     let codex_linux_sandbox_exe = Some(PathBuf::from(sandbox_program));
     let ctrl_c = Arc::new(Notify::new());