fix: overhaul SandboxPolicy and config loading in Rust (#732)

Previous to this PR, `SandboxPolicy` was a bit difficult to work with: 237f8a11e1/codex-rs/core/src/protocol.rs (L98-L108) Specifically: * It was an `enum` and therefore options were mutually exclusive as opposed to additive. * It defined things in terms of what the agent _could not_ do as opposed to what they _could_ do. This made things hard to support because we would prefer to build up a sandbox config by starting with something extremely restrictive and only granting permissions for things the user as explicitly allowed. This PR changes things substantially by redefining the policy in terms of two concepts: * A `SandboxPermission` enum that defines permissions that can be granted to the agent/sandbox. * A `SandboxPolicy` that internally stores a `Vec<SandboxPermission>`, but externally exposes a simpler API that can be used to configure Seatbelt/Landlock. Previous to this PR, we supported a `--sandbox` flag that effectively mapped to an enum value in `SandboxPolicy`. Though now that `SandboxPolicy` is a wrapper around `Vec<SandboxPermission>`, the single `--sandbox` flag no longer makes sense. While I could have turned it into a flag that the user can specify multiple times, I think the current values to use with such a flag are long and potentially messy, so for the moment, I have dropped support for `--sandbox` altogether and we can bring it back once we have figured out the naming thing. Since `--sandbox` is gone, users now have to specify `--full-auto` to get a sandbox that allows writes in `cwd`. Admittedly, there is no clean way to specify the equivalent of `--full-auto` in your `config.toml` right now, so we will have to revisit that, as well. Because `Config` presents a `SandboxPolicy` field and `SandboxPolicy` changed considerably, I had to overhaul how config loading works, as well. There are now two distinct concepts, `ConfigToml` and `Config`: * `ConfigToml` is the deserialization of `~/.codex/config.toml`. As one might expect, every field is `Optional` and it is `#[derive(Deserialize, Default)]`. Consistent use of `Optional` makes it clear what the user has specified explicitly. * `Config` is the "normalized config" and is produced by merging `ConfigToml` with `ConfigOverrides`. Where `ConfigToml` contains a raw `Option<Vec<SandboxPermission>>`, `Config` presents only the final `SandboxPolicy`. The changes to `core/src/exec.rs` and `core/src/linux.rs` merit extra special attention to ensure we are faithfully mapping the `SandboxPolicy` to the Seatbelt and Landlock configs, respectively. Also, take note that `core/src/seatbelt_readonly_policy.sbpl` has been renamed to `codex-rs/core/src/seatbelt_base_policy.sbpl` and that `(allow file-read*)` has been removed from the `.sbpl` file as now this is added to the policy in `core/src/exec.rs` when `sandbox_policy.has_full_disk_read_access()` is `true`.
2025-04-29 15:01:16 -07:00
parent 237f8a11e1
commit 0a00b5ed29
21 changed files with 408 additions and 259 deletions
--- a/codex-rs/core/src/linux.rs
+++ b/codex-rs/core/src/linux.rs
@@ -32,14 +32,13 @@ use tokio::sync::Notify;

 pub async fn exec_linux(
    params: ExecParams,
-    writable_roots: &[PathBuf],
    ctrl_c: Arc<Notify>,
-    sandbox_policy: SandboxPolicy,
+    sandbox_policy: &SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
    // Allow READ on /
    // Allow WRITE on /dev/null
    let ctrl_c_copy = ctrl_c.clone();
-    let writable_roots_copy = writable_roots.to_vec();
+    let sandbox_policy = sandbox_policy.clone();

    // Isolate thread to run the sandbox from
    let tool_call_output = std::thread::spawn(move || {
@@ -49,14 +48,7 @@ pub async fn exec_linux(
            .expect("Failed to create runtime");

        rt.block_on(async {
-            if sandbox_policy.is_network_restricted() {
-                install_network_seccomp_filter_on_current_thread()?;
-            }
-
-            if sandbox_policy.is_file_write_restricted() {
-                install_filesystem_landlock_rules_on_current_thread(writable_roots_copy)?;
-            }
-
+            apply_sandbox_policy_to_current_thread(sandbox_policy)?;
            exec(params, ctrl_c_copy).await
        })
    })
@@ -72,15 +64,31 @@ pub async fn exec_linux(
    }
 }

+/// Apply sandbox policies inside this thread so only the child inherits
+/// them, not the entire CLI process.
+pub fn apply_sandbox_policy_to_current_thread(sandbox_policy: SandboxPolicy) -> Result<()> {
+    if !sandbox_policy.has_full_network_access() {
+        install_network_seccomp_filter_on_current_thread()?;
+    }
+
+    if !sandbox_policy.has_full_disk_write_access() {
+        let writable_roots = sandbox_policy.get_writable_roots();
+        install_filesystem_landlock_rules_on_current_thread(writable_roots)?;
+    }
+
+    // TODO(ragona): Add appropriate restrictions if
+    // `sandbox_policy.has_full_disk_read_access()` is `false`.
+
+    Ok(())
+}
+
 /// Installs Landlock file-system rules on the current thread allowing read
 /// access to the entire file-system while restricting write access to
 /// `/dev/null` and the provided list of `writable_roots`.
 ///
 /// # Errors
 /// Returns [`CodexErr::Sandbox`] variants when the ruleset fails to apply.
-pub fn install_filesystem_landlock_rules_on_current_thread(
-    writable_roots: Vec<PathBuf>,
-) -> Result<()> {
+fn install_filesystem_landlock_rules_on_current_thread(writable_roots: Vec<PathBuf>) -> Result<()> {
    let abi = ABI::V5;
    let access_rw = AccessFs::from_all(abi);
    let access_ro = AccessFs::from_read(abi);
@@ -108,7 +116,7 @@ pub fn install_filesystem_landlock_rules_on_current_thread(

 /// Installs a seccomp filter that blocks outbound network access except for
 /// AF_UNIX domain sockets.
-pub fn install_network_seccomp_filter_on_current_thread() -> std::result::Result<(), SandboxErr> {
+fn install_network_seccomp_filter_on_current_thread() -> std::result::Result<(), SandboxErr> {
    // Build rule map.
    let mut rules: BTreeMap<i64, Vec<SeccompRule>> = BTreeMap::new();

@@ -184,15 +192,14 @@ mod tests_linux {
            workdir: None,
            timeout_ms: Some(timeout_ms),
        };
-        let res = process_exec_tool_call(
-            params,
-            SandboxType::LinuxSeccomp,
-            writable_roots,
-            Arc::new(Notify::new()),
-            SandboxPolicy::NetworkAndFileWriteRestricted,
-        )
-        .await
-        .unwrap();
+
+        let sandbox_policy =
+            SandboxPolicy::new_read_only_policy_with_writable_roots(writable_roots);
+        let ctrl_c = Arc::new(Notify::new());
+        let res =
+            process_exec_tool_call(params, SandboxType::LinuxSeccomp, ctrl_c, &sandbox_policy)
+                .await
+                .unwrap();

        if res.exit_code != 0 {
            println!("stdout:\n{}", res.stdout);
@@ -261,14 +268,11 @@ mod tests_linux {
            timeout_ms: Some(2_000),
        };

-        let result = process_exec_tool_call(
-            params,
-            SandboxType::LinuxSeccomp,
-            &[],
-            Arc::new(Notify::new()),
-            SandboxPolicy::NetworkRestricted,
-        )
-        .await;
+        let sandbox_policy = SandboxPolicy::new_read_only_policy();
+        let ctrl_c = Arc::new(Notify::new());
+        let result =
+            process_exec_tool_call(params, SandboxType::LinuxSeccomp, ctrl_c, &sandbox_policy)
+                .await;

        let (exit_code, stdout, stderr) = match result {
            Ok(output) => (output.exit_code, output.stdout, output.stderr),