codex

mirrors/codex

Fork 0

mirror of https://github.com/openai/codex.git synced 2026-05-02 12:21:26 +03:00

Commit Graph

Author	SHA1	Message	Date
iceweasel-oai	aabe0f259c	implement per-workspace capability SIDs for workspace specific ACLs (#10189 ) Today, there is a single capability SID that allows the sandbox to write to * workspace (cwd) * tmp directories if enabled * additional writable roots This change splits those up, so that each workspace has its own capability SID, while tmp and additional roots, which are installation-wide, are still governed by the "generic" capability SID This isolates workspaces from each other in terms of sandbox write access. Also allows us to protect <cwd>/.codex when codex runs in a specific <cwd>	2026-02-03 12:37:51 -08:00

Author

SHA1

Message

Date

iceweasel-oai

aabe0f259c

implement per-workspace capability SIDs for workspace specific ACLs (#10189 )

Today, there is a single capability SID that allows the sandbox to write
to
* workspace (cwd)
* tmp directories if enabled
* additional writable roots

This change splits those up, so that each workspace has its own
capability SID, while tmp and additional roots, which are
installation-wide, are still governed by the "generic" capability SID

This isolates workspaces from each other in terms of sandbox write
access.
Also allows us to protect <cwd>/.codex when codex runs in a specific
<cwd>

2026-02-03 12:37:51 -08:00

1 Commits