refactoring with_escalated_permissions to use SandboxPermissions instead (#7750)

helpful in the future if we want more granularity for requesting escalated permissions: e.g when running in readonly sandbox, model can request to escalate to a sandbox that allows writes
2026-05-03 21:01:55 +03:00 · 2025-12-10 09:18:48 -08:00
parent 97b90094cd
commit e0fb3ca1db
27 changed files with 216 additions and 179 deletions
--- a/codex-rs/exec-server/src/posix.rs
+++ b/codex-rs/exec-server/src/posix.rs
@@ -63,6 +63,7 @@ use anyhow::Context as _;
 use clap::Parser;
 use codex_core::config::find_codex_home;
 use codex_core::is_dangerous_command::command_might_be_dangerous;
+use codex_core::sandboxing::SandboxPermissions;
 use codex_execpolicy::Decision;
 use codex_execpolicy::Policy;
 use codex_execpolicy::RuleMatch;
@@ -202,13 +203,19 @@ pub(crate) fn evaluate_exec_policy(
            && rule_match.decision() == evaluation.decision
    });

+    let sandbox_permissions = if decision_driven_by_policy {
+        SandboxPermissions::RequireEscalated
+    } else {
+        SandboxPermissions::UseDefault
+    };
+
    Ok(match evaluation.decision {
        Decision::Forbidden => ExecPolicyOutcome::Forbidden,
        Decision::Prompt => ExecPolicyOutcome::Prompt {
-            run_with_escalated_permissions: decision_driven_by_policy,
+            sandbox_permissions,
        },
        Decision::Allow => ExecPolicyOutcome::Allow {
-            run_with_escalated_permissions: decision_driven_by_policy,
+            sandbox_permissions,
        },
    })
 }
@@ -231,6 +238,7 @@ async fn load_exec_policy() -> anyhow::Result<Policy> {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use codex_core::sandboxing::SandboxPermissions;
    use codex_execpolicy::Decision;
    use codex_execpolicy::Policy;
    use pretty_assertions::assert_eq;
@@ -247,7 +255,7 @@ mod tests {
        assert_eq!(
            outcome,
            ExecPolicyOutcome::Prompt {
-                run_with_escalated_permissions: false
+                sandbox_permissions: SandboxPermissions::UseDefault
            }
        );
    }
@@ -276,7 +284,7 @@ mod tests {
        assert_eq!(
            outcome,
            ExecPolicyOutcome::Allow {
-                run_with_escalated_permissions: true
+                sandbox_permissions: SandboxPermissions::RequireEscalated
            }
        );
    }