valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "fix: canonicalize the writeable paths used in seatbelt policy… (#370)

Browse Source 
This reverts commit 3356ac0aef.

related #330
This commit is contained in:
Jon Church
2025-04-18 19:11:34 -04:00
committed by GitHub
parent 8e2e77fafb
commit 9a046dfcaa
1 changed files with 1 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
codex-cli/src/utils/agent/sandbox/macos-seatbelt.ts
View File

@@ -3,7 +3,6 @@ import type { SpawnOptions } from "child_process";
import { exec } from "./raw-exec.js"; import { exec } from "./raw-exec.js";
import { log } from "../log.js"; import { log } from "../log.js";
import { realpathSync } from "fs";
import { CONFIG_DIR } from "src/utils/config.js"; import { CONFIG_DIR } from "src/utils/config.js";
function getCommonRoots() { function getCommonRoots() {
@@ -30,9 +29,7 @@ export function execWithSeatbelt(
const { policies, params } = writableRoots const { policies, params } = writableRoots
.map((root, index) => ({ .map((root, index) => ({
policy: `(subpath (param "WRITABLE_ROOT_${index}"))`, policy: `(subpath (param "WRITABLE_ROOT_${index}"))`,
// the kernel resolves symlinks before handing them to seatbelt for checking param: `-DWRITABLE_ROOT_${index}=${root}`,
// so store the canonicalized form in the policy to be compared against
param: `-DWRITABLE_ROOT_${index}=${realpathSync(root)}`,
})) }))
.reduce( .reduce(
( (