mirrors/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-03 21:01:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat(config): support managed deny-read requirements (#17740)

Browse Source 
## Summary
- adds managed requirements support for deny-read filesystem entries
- constrains config layers so managed deny-read requirements cannot be
widened by user-controlled config
- surfaces managed deny-read requirements through debug/config plumbing

This PR lets managed requirements inject deny-read filesystem
constraints into the effective filesystem sandbox policy.
User-controlled config can still choose the surrounding permission
profile, but it cannot remove or weaken the managed deny-read entries.

## Managed deny-read shape
A managed requirements file can declare exact paths and glob patterns
under `[permissions.filesystem]`:

```toml
# /etc/codex/requirements.toml
[permissions.filesystem]
deny_read = [
  "/Users/alice/.gitconfig",
  "/Users/alice/.ssh",
  "./managed-private/**/*.env",
]
```

Those entries are compiled into the effective filesystem policy as
`access = none` rules, equivalent in shape to filesystem permission
entries like:

```toml
[permissions.workspace.filesystem]
"/Users/alice/.gitconfig" = "none"
"/Users/alice/.ssh" = "none"
"/absolute/path/to/managed-private/**/*.env" = "none"
```

The important difference is that the managed entries come from
requirements, so lower-precedence user config cannot remove them or make
those paths readable again.

Relative managed `deny_read` entries are resolved relative to the
directory containing the managed requirements file. Glob entries keep
their glob suffix after the non-glob prefix is normalized.

## Runtime behavior
- Managed `deny_read` entries are appended to the effective
`FileSystemSandboxPolicy` after the selected permission profile is
resolved.
- Exact paths become `FileSystemPath::Path { access: None }`; glob
patterns become `FileSystemPath::GlobPattern { access: None }`.
- When managed deny-read entries are present, `sandbox_mode` is
constrained to `read-only` or `workspace-write`; `danger-full-access`
and `external-sandbox` cannot silently bypass the managed read-deny
policy.
- On Windows, the managed deny-read policy is enforced for direct file
tools, but shell subprocess reads are not sandboxed yet, so startup
emits a warning for that platform.
- `/debug-config` shows the effective managed requirement as
`permissions.filesystem.deny_read` with its source.

## Stack
1. #15979 - glob deny-read policy/config/direct-tool support
2. #18096 - macOS and Linux sandbox enforcement
3. This PR - managed deny-read requirements

---------

Co-authored-by: Codex <noreply@openai.com>
This commit is contained in:
viyatb-oai
2026-04-17 08:40:09 -07:00
committed by GitHub
parent 2dd6734dd3
commit dae0608c06
10 changed files with 509 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
codex-rs/cloud-requirements/src/lib.rs
View File

@@ -1172,6 +1172,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
}
@@ -1201,6 +1202,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
}
@@ -1230,6 +1232,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
}
@@ -1276,6 +1279,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
})
);
}
@@ -1358,6 +1362,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 2);
@@ -1430,6 +1435,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 2);
@@ -1500,6 +1506,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
@@ -1697,6 +1704,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 0);
@@ -1732,6 +1740,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
@@ -1787,6 +1796,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
@@ -1837,6 +1847,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
@@ -1891,6 +1902,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
@@ -1946,6 +1958,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
@@ -2001,6 +2014,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
})
);
let payload_bytes = cache_payload_bytes(&cache_file.signed_payload).expect("payload bytes");
@@ -2089,6 +2103,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
@@ -2116,6 +2131,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
})
);
}