valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: redesign sandbox config (#1373)

Browse Source 
This is a major redesign of how sandbox configuration works and aims to
fix https://github.com/openai/codex/issues/1248. Specifically, it
replaces `sandbox_permissions` in `config.toml` (and the
`-s`/`--sandbox-permission` CLI flags) with a "table" with effectively
three variants:

```toml
# Safest option: full disk is read-only, but writes and network access are disallowed.
[sandbox]
mode = "read-only"

# The cwd of the Codex task is writable, as well as $TMPDIR on macOS.
# writable_roots can be used to specify additional writable folders.
[sandbox]
mode = "workspace-write"
writable_roots = []  # Optional, defaults to the empty list.
network_access = false  # Optional, defaults to false.

# Disable sandboxing: use at your own risk!!!
[sandbox]
mode = "danger-full-access"
```

This should make sandboxing easier to reason about. While we have
dropped support for `-s`, the way it works now is:

- no flags => `read-only`
- `--full-auto` => `workspace-write`
- currently, there is no way to specify `danger-full-access` via a CLI
flag, but we will revisit that as part of
https://github.com/openai/codex/issues/1254

Outstanding issue:

- As noted in the `TODO` on `SandboxPolicy::is_unrestricted()`, we are
still conflating sandbox preferences with approval preferences in that
case, which needs to be cleaned up.
This commit is contained in:
Michael Bolin
2025-06-24 16:59:47 -07:00
committed by GitHub
parent ed5e848f3e
commit 0776d78357
17 changed files with 197 additions and 489 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
codex-rs/linux-sandbox/src/linux_run_main.rs
View File

@@ -1,13 +1,16 @@
use clap::Parser;
use codex_common::SandboxPermissionOption;
use std::ffi::CString;
use std::path::PathBuf;
use crate::landlock::apply_sandbox_policy_to_current_thread;
#[derive(Debug, Parser)]
pub struct LandlockCommand {
#[clap(flatten)]
pub sandbox: SandboxPermissionOption,
/// It is possible that the cwd used in the context of the sandbox policy
/// is different from the cwd of the process to spawn.
pub sandbox_policy_cwd: PathBuf,
pub sandbox_policy: codex_core::protocol::SandboxPolicy,
/// Full command args to run under landlock.
#[arg(trailing_var_arg = true)]
@@ -15,21 +18,13 @@ pub struct LandlockCommand {
}
pub fn run_main() -> ! {
let LandlockCommand { sandbox, command } = LandlockCommand::parse();
let LandlockCommand {
sandbox_policy_cwd,
sandbox_policy,
command,
} = LandlockCommand::parse();
let sandbox_policy = match sandbox.permissions.map(Into::into) {
Some(sandbox_policy) => sandbox_policy,
None => codex_core::protocol::SandboxPolicy::new_read_only_policy(),
};
let cwd = match std::env::current_dir() {
Ok(cwd) => cwd,
Err(e) => {
panic!("failed to getcwd(): {e:?}");
}
};
if let Err(e) = apply_sandbox_policy_to_current_thread(&sandbox_policy, &cwd) {
if let Err(e) = apply_sandbox_policy_to_current_thread(&sandbox_policy, &sandbox_policy_cwd) {
panic!("error running landlock: {e:?}");
}