[feat] add seatbelt permission files (#11639)

Add seatbelt permission extension abstraction as permission files for seatbelt profiles. This should complement our current sandbox policy
2026-05-02 04:11:39 +03:00 · 2026-02-12 15:30:22 -08:00
parent 76256a8cec
commit dfd1e199a0
5 changed files with 393 additions and 6 deletions
--- a/codex-rs/core/README.md
+++ b/codex-rs/core/README.md
@@ -14,6 +14,30 @@ When using the workspace-write sandbox policy, the Seatbelt profile allows
 writes under the configured writable roots while keeping `.git` (directory or
 pointer file), the resolved `gitdir:` target, and `.codex` read-only.

+Network access and filesystem read/write roots are controlled by
+`SandboxPolicy`. Seatbelt consumes the resolved policy and enforces it.
+
+Seatbelt also supports macOS permission-profile extensions layered on top of
+`SandboxPolicy`:
+
+- no extension profile provided:
+  keeps legacy default preferences read access (`user-preference-read`).
+- extension profile provided with no `macos_preferences` grant:
+  does not add preferences access clauses.
+- `macos_preferences = "readonly"`:
+  enables cfprefs read clauses and `user-preference-read`.
+- `macos_preferences = "readwrite"`:
+  includes readonly clauses plus `user-preference-write` and cfprefs shm write
+  clauses.
+- `macos_automation = true`:
+  enables broad Apple Events send permissions.
+- `macos_automation = ["com.apple.Notes", ...]`:
+  enables Apple Events send only to listed bundle IDs.
+- `macos_accessibility = true`:
+  enables `com.apple.axserver` mach lookup.
+- `macos_calendar = true`:
+  enables `com.apple.CalendarAgent` mach lookup.
+
 ### Linux

 Expects the binary containing `codex-core` to run the equivalent of `codex sandbox linux` (legacy alias: `codex debug landlock`) when `arg0` is `codex-linux-sandbox`. See the `codex-arg0` crate for details.