mirror of
https://github.com/openai/codex.git
synced 2026-05-02 20:32:04 +03:00
95ba762620
## Summary - keep legacy Windows restricted-token sandboxing as the supported baseline - support the split-policy subset that restricted-token can enforce directly today - support full-disk read, the same writable root set as legacy `WorkspaceWrite`, and extra read-only carveouts under those writable roots via additional deny-write ACLs - continue to fail closed for unsupported split-only shapes, including explicit unreadable (`none`) carveouts, reopened writable descendants under read-only carveouts, and writable root sets that do not match the legacy workspace roots ## Example Given a filesystem policy like: ```toml ":root" = "read" ":cwd" = "write" "./docs" = "read" ``` the restricted-token backend can keep the workspace writable while denying writes under `docs` by layering an extra deny-write carveout on top of the legacy workspace-write roots. A policy like: ```toml "/workspace" = "write" "/workspace/docs" = "read" "/workspace/docs/tmp" = "write" ``` still fails closed, because the unelevated backend cannot reopen the nested writable descendant safely. ## Stack -> fix: support split carveouts in windows restricted-token sandbox #14172 fix: support split carveouts in windows elevated sandbox #14568
101 lines
4.8 KiB
Markdown
101 lines
4.8 KiB
Markdown
# codex-core
|
|
|
|
This crate implements the business logic for Codex. It is designed to be used by the various Codex UIs written in Rust.
|
|
|
|
## Dependencies
|
|
|
|
Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this support matrix is:
|
|
|
|
### macOS
|
|
|
|
Expects `/usr/bin/sandbox-exec` to be present.
|
|
|
|
When using the workspace-write sandbox policy, the Seatbelt profile allows
|
|
writes under the configured writable roots while keeping `.git` (directory or
|
|
pointer file), the resolved `gitdir:` target, and `.codex` read-only.
|
|
|
|
Network access and filesystem read/write roots are controlled by
|
|
`SandboxPolicy`. Seatbelt consumes the resolved policy and enforces it.
|
|
|
|
Seatbelt also supports macOS permission-profile extensions layered on top of
|
|
`SandboxPolicy`:
|
|
|
|
- no extension profile provided:
|
|
keeps legacy default preferences read access (`user-preference-read`).
|
|
- extension profile provided with no `macos_preferences` grant:
|
|
does not add preferences access clauses.
|
|
- `macos_preferences = "readonly"`:
|
|
enables cfprefs read clauses and `user-preference-read`.
|
|
- `macos_preferences = "readwrite"`:
|
|
includes readonly clauses plus `user-preference-write` and cfprefs shm write
|
|
clauses.
|
|
- `macos_automation = true`:
|
|
enables broad Apple Events send permissions.
|
|
- `macos_automation = ["com.apple.Notes", ...]`:
|
|
enables Apple Events send only to listed bundle IDs.
|
|
- `macos_launch_services = true`:
|
|
enables LaunchServices lookups and open/launch operations.
|
|
- `macos_accessibility = true`:
|
|
enables `com.apple.axserver` mach lookup.
|
|
- `macos_calendar = true`:
|
|
enables `com.apple.CalendarAgent` mach lookup.
|
|
- `macos_contacts = "read_only"`:
|
|
enables Address Book read access and Contacts read services.
|
|
- `macos_contacts = "read_write"`:
|
|
includes the readonly Contacts clauses plus Address Book writes and keychain/temp helpers required for writes.
|
|
|
|
### Linux
|
|
|
|
Expects the binary containing `codex-core` to run the equivalent of `codex sandbox linux` (legacy alias: `codex debug landlock`) when `arg0` is `codex-linux-sandbox`. See the `codex-arg0` crate for details.
|
|
|
|
Legacy `SandboxPolicy` / `sandbox_mode` configs are still supported on Linux.
|
|
They can continue to use the legacy Landlock path when the split filesystem
|
|
policy is sandbox-equivalent to the legacy model after `cwd` resolution.
|
|
Split filesystem policies that need direct `FileSystemSandboxPolicy`
|
|
enforcement, such as read-only or denied carveouts under a broader writable
|
|
root, automatically route through bubblewrap. The legacy Landlock path is used
|
|
only when the split filesystem policy round-trips through the legacy
|
|
`SandboxPolicy` model without changing semantics. That includes overlapping
|
|
cases like `/repo = write`, `/repo/a = none`, `/repo/a/b = write`, where the
|
|
more specific writable child must reopen under a denied parent.
|
|
|
|
The Linux sandbox helper prefers `/usr/bin/bwrap` whenever it is available and
|
|
supports the required argv-rewrite flags, and falls back to the vendored
|
|
bubblewrap path compiled into the binary otherwise. When `/usr/bin/bwrap` is
|
|
missing or too old to support the required flags, Codex also surfaces a startup
|
|
warning through its normal notification path instead of printing directly from
|
|
the sandbox helper.
|
|
|
|
### Windows
|
|
|
|
Legacy `SandboxPolicy` / `sandbox_mode` configs are still supported on
|
|
Windows.
|
|
|
|
The elevated setup/runner backend supports legacy `ReadOnlyAccess::Restricted`
|
|
for `read-only` and `workspace-write` policies. Restricted read access honors
|
|
explicit readable roots plus the command `cwd`, and keeps writable roots
|
|
readable when `workspace-write` is used.
|
|
|
|
When `include_platform_defaults = true`, the elevated Windows backend adds
|
|
backend-managed system read roots required for basic execution, such as
|
|
`C:\Windows`, `C:\Program Files`, `C:\Program Files (x86)`, and
|
|
`C:\ProgramData`. When it is `false`, those extra system roots are omitted.
|
|
|
|
The unelevated restricted-token backend still supports the legacy full-read
|
|
Windows model for legacy `ReadOnly` and `WorkspaceWrite` behavior. It also
|
|
supports a narrow split-filesystem subset: full-read split policies whose
|
|
writable roots still match the legacy `WorkspaceWrite` root set, but add extra
|
|
read-only carveouts under those writable roots.
|
|
|
|
New `[permissions]` / split filesystem policies remain supported on Windows
|
|
only when they round-trip through the legacy `SandboxPolicy` model without
|
|
changing semantics. Policies that would require direct read restriction,
|
|
explicit unreadable carveouts, reopened writable descendants under read-only
|
|
carveouts, different writable root sets, or split carveout support in the
|
|
elevated setup/runner backend still fail closed instead of running with weaker
|
|
enforcement.
|
|
|
|
### All Platforms
|
|
|
|
Expects the binary containing `codex-core` to simulate the virtual `apply_patch` CLI when `arg1` is `--codex-run-as-apply-patch`. See the `codex-arg0` crate for details.
|