fix(network-proxy): add unix socket allow-all and update seatbelt rules (#11368)

## Summary Adds support for a Unix socket escape hatch so we can bypass socket allowlisting when explicitly enabled. ## Description * added a new flag, `network.dangerously_allow_all_unix_sockets` as an explicit escape hatch * In codex-network-proxy, enabling that flag now allows any absolute Unix socket path from x-unix-socket instead of requiring each path to be explicitly allowlisted. Relative paths are still rejected. * updated the macOS seatbelt path in core so it enforces the same Unix socket behavior: * allowlisted sockets generate explicit network* subpath rules * allow-all generates a broad network* (subpath "/") rule --------- Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
2026-05-04 21:32:21 +03:00 · 2026-02-20 10:56:57 -08:00
parent 73fd939296
commit 28c0089060
19 changed files with 553 additions and 18 deletions
--- a/codex-rs/network-proxy/src/state.rs
+++ b/codex-rs/network-proxy/src/state.rs
@@ -19,6 +19,7 @@ pub struct NetworkProxyConstraints {
    pub allow_upstream_proxy: Option<bool>,
    pub dangerously_allow_non_loopback_proxy: Option<bool>,
    pub dangerously_allow_non_loopback_admin: Option<bool>,
+    pub dangerously_allow_all_unix_sockets: Option<bool>,
    pub allowed_domains: Option<Vec<String>>,
    pub denied_domains: Option<Vec<String>>,
    pub allow_unix_sockets: Option<Vec<String>>,
@@ -38,6 +39,7 @@ pub struct PartialNetworkConfig {
    pub allow_upstream_proxy: Option<bool>,
    pub dangerously_allow_non_loopback_proxy: Option<bool>,
    pub dangerously_allow_non_loopback_admin: Option<bool>,
+    pub dangerously_allow_all_unix_sockets: Option<bool>,
    #[serde(default)]
    pub allowed_domains: Option<Vec<String>>,
    #[serde(default)]
@@ -52,6 +54,7 @@ pub fn build_config_state(
    config: NetworkProxyConfig,
    constraints: NetworkProxyConstraints,
 ) -> anyhow::Result<ConfigState> {
+    crate::config::validate_unix_socket_allowlist_paths(&config)?;
    let deny_set = compile_globset(&config.network.denied_domains)?;
    let allow_set = compile_globset(&config.network.allowed_domains)?;
    Ok(ConfigState {
@@ -173,6 +176,24 @@ pub fn validate_policy_against_constraints(
        },
    )?;

+    let allow_all_unix_sockets = constraints
+        .dangerously_allow_all_unix_sockets
+        .unwrap_or(constraints.allow_unix_sockets.is_none());
+    validate(
+        config.network.dangerously_allow_all_unix_sockets,
+        move |candidate| {
+            if *candidate && !allow_all_unix_sockets {
+                Err(invalid_value(
+                    "network.dangerously_allow_all_unix_sockets",
+                    "true",
+                    "false (disabled by managed config)",
+                ))
+            } else {
+                Ok(())
+            }
+        },
+    )?;
+
    if let Some(allow_local_binding) = constraints.allow_local_binding {
        validate(config.network.allow_local_binding, move |candidate| {
            if *candidate && !allow_local_binding {