cd5f9074af
Replaces the `include_default_writable_roots` option on `sandbox_workspace_write` (that defaulted to `true`, which was slightly weird/annoying) with `exclude_tmpdir_env_var`, which defaults to `false`. Though perhaps more importantly `/tmp` is now enabled by default as part of `sandbox_mode = "workspace-write"`, though `exclude_slash_tmp = false` can be used to disable this.
37 lines
1.2 KiB
Rust
37 lines
1.2 KiB
Rust
use codex_core::protocol::SandboxPolicy;
|
|
|
|
pub fn summarize_sandbox_policy(sandbox_policy: &SandboxPolicy) -> String {
|
|
match sandbox_policy {
|
|
SandboxPolicy::DangerFullAccess => "danger-full-access".to_string(),
|
|
SandboxPolicy::ReadOnly => "read-only".to_string(),
|
|
SandboxPolicy::WorkspaceWrite {
|
|
writable_roots,
|
|
network_access,
|
|
exclude_tmpdir_env_var,
|
|
exclude_slash_tmp,
|
|
} => {
|
|
let mut summary = "workspace-write".to_string();
|
|
|
|
let mut writable_entries = Vec::<String>::new();
|
|
writable_entries.push("workdir".to_string());
|
|
if !*exclude_slash_tmp {
|
|
writable_entries.push("/tmp".to_string());
|
|
}
|
|
if !*exclude_tmpdir_env_var {
|
|
writable_entries.push("$TMPDIR".to_string());
|
|
}
|
|
writable_entries.extend(
|
|
writable_roots
|
|
.iter()
|
|
.map(|p| p.to_string_lossy().to_string()),
|
|
);
|
|
|
|
summary.push_str(&format!(" [{}]", writable_entries.join(", ")));
|
|
if *network_access {
|
|
summary.push_str(" (network access enabled)");
|
|
}
|
|
summary
|
|
}
|
|
}
|
|
}
|