Skip to content

feat(sandbox): add glob deny-read platform enforcement#18096

Merged
viyatb-oai merged 12 commits intomainfrom
codex/viyatb/deny-read-globs-sandbox
Apr 17, 2026
Merged

feat(sandbox): add glob deny-read platform enforcement#18096
viyatb-oai merged 12 commits intomainfrom
codex/viyatb/deny-read-globs-sandbox

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented Apr 16, 2026
edited
Loading

Summary

  • adds macOS Seatbelt deny rules for unreadable glob patterns
  • expands unreadable glob matches on Linux and masks them in bwrap, including canonical symlink targets
  • keeps Linux glob expansion robust when rg is unavailable in minimal or Bazel test environments
  • adds sandbox integration coverage that runs shell and exec_command with a **/*.env = none policy and verifies the secret contents do not reach the model

Linux glob expansion

Prefer:   rg --files --hidden --no-ignore --glob <pattern> -- <search-root>
Fallback: internal globset walker when rg is not installed
Failure:  any other rg failure aborts sandbox construction

[permissions.workspace.filesystem]
glob_scan_max_depth = 2

[permissions.workspace.filesystem.":project_roots"]
"**/*.env" = "none"

This keeps the common path fast without making sandbox construction depend on an ambient rg binary. If rg is present but fails for another reason, the sandbox setup fails closed instead of silently omitting deny-read masks.

Platform support

  • macOS: subprocess sandbox enforcement is handled by Seatbelt regex deny rules
  • Linux: subprocess sandbox enforcement is handled by expanding existing glob matches and masking them in bwrap
  • Windows: policy/config/direct-tool glob support is already on main from feat(permissions): add glob deny-read policy support #15979; Windows subprocess sandbox paths continue to fail closed when unreadable split filesystem carveouts require runtime enforcement, rather than silently running unsandboxed

Stack

  1. feat(permissions): add glob deny-read policy support #15979 - merged: cross-platform glob deny-read policy/config/direct-tool support for macOS, Linux, and Windows
  2. This PR - macOS/Linux subprocess sandbox enforcement plus Windows fail-closed clarification
  3. feat(config): support managed deny-read requirements #17740 - managed deny-read requirements

Verification

  • Added integration coverage for shell and exec_command glob deny-read enforcement
  • cargo check -p codex-sandboxing -p codex-linux-sandbox --tests
  • cargo check -p codex-core --test all
  • cargo clippy -p codex-linux-sandbox -p codex-sandboxing --tests
  • just bazel-lock-check

This was referenced Apr 16, 2026
Merged
Merged
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d21044180f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/sandboxing/src/manager.rs
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/deny-read-globs-sandbox branch 2 times, most recently from 6e2a8c9 to f74937c Compare April 16, 2026 16:49
viyatb-oai added a commit that referenced this pull request Apr 16, 2026
@viyatb-oai @codex
feat(permissions): add glob deny-read policy support (#15979)
6862b9c 
## Summary
- adds first-class filesystem policy entries for deny-read glob patterns
- parses config such as :project_roots { "**/*.env" = "none" } into
pattern entries
- enforces deny-read patterns in direct read/list helpers
- fails closed for sandbox execution until platform backends enforce
glob patterns in #18096
- preserves split filesystem policy in turn context only when it cannot
be reconstructed from legacy sandbox policy

## Stack
1. This PR - glob deny-read policy/config/direct-tool support
2. #18096 - macOS and Linux sandbox enforcement
3. #17740 - managed deny-read requirements

## Verification
- just fmt
- cargo check -p codex-core -p codex-sandboxing --tests

---------

Co-authored-by: Codex <noreply@openai.com>
Base automatically changed from codex/viyatb/deny-read-globs to main April 16, 2026 17:31
@viyatb-oai viyatb-oai changed the title feat(sandbox): enforce glob deny-read on macOS and Linux feat(sandbox): add glob deny-read platform enforcement Apr 16, 2026
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/deny-read-globs-sandbox branch from 8231409 to 4fac10c Compare April 16, 2026 17:48
viyatb-oai and others added 3 commits April 16, 2026 10:48
@viyatb-oai @codex
feat(sandbox): enforce glob deny-read on macOS and Linux
8424f88 
Add macOS seatbelt regex deny rules and Linux bwrap glob expansion/masking for unreadable filesystem glob patterns. This removes the temporary fail-closed guard from the policy-only layer because both platform backends now enforce the patterns directly.

Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai
fix(sandbox): use glob pattern filesystem path variant
7be5a33 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai
test(sandbox): cover glob deny-read integration
2cb6091 
Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/deny-read-globs-sandbox branch from 4fac10c to 2cb6091 Compare April 16, 2026 17:51
viyatb-oai and others added 5 commits April 16, 2026 11:32
@viyatb-oai @codex
fix(sandbox): stabilize glob deny-read CI
9c3d25e 
Keep Linux glob expansion working when ripgrep is not available in the test environment, and avoid over-escaping macOS Seatbelt regex deny rules.

Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
docs(sandbox): document rg glob fallback
61b2477 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
docs(sandbox): simplify bubblewrap wording
304f142 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
docs(sandbox): avoid bubblewrap pipeline wording
b4db88a 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
fix(sandbox): preserve glob deny-read output
b29404d 
Preserve sandbox-denied output for unified exec so deny-read glob failures are returned as normal command output instead of an opaque CreateProcess error. Also canonicalize macOS Seatbelt glob static prefixes so /tmp and /var symlink spellings are masked correctly.

Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai viyatb-oai requested a review from bolinfest April 16, 2026 20:28
@viyatb-oai viyatb-oai mentioned this pull request Apr 16, 2026
Open
bolinfest
bolinfest approved these changes Apr 16, 2026
View reviewed changes
Comment thread codex-rs/core/src/tools/handlers/unified_exec.rs Outdated
Comment thread codex-rs/core/src/tools/handlers/unified_exec.rs Outdated
Comment thread codex-rs/core/src/tools/handlers/unified_exec.rs Outdated
Comment thread codex-rs/core/tests/suite/tools.rs
Comment thread codex-rs/core/tests/suite/unified_exec.rs Outdated
Comment thread codex-rs/linux-sandbox/src/bwrap.rs Outdated
Comment thread codex-rs/linux-sandbox/src/bwrap.rs
Comment thread codex-rs/linux-sandbox/src/bwrap.rs Outdated
Comment thread codex-rs/linux-sandbox/src/bwrap.rs
None
}

#[cfg(test)]
Copy link
Copy Markdown
Collaborator

@bolinfest bolinfest Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a follow-up, we should also migrate this crate to use the _tests.rs pattern.

Comment thread codex-rs/sandboxing/src/seatbelt_tests.rs Outdated
viyatb-oai and others added 4 commits April 16, 2026 15:48
@viyatb-oai @codex
fix(sandbox): address glob deny-read review comments
a3f3688 
Tighten sandbox-denied unified exec output metadata, make glob deny-read tests less flaky, strengthen Linux glob expansion path types, and assert exact Seatbelt regex translations.

Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
feat(sandbox): configure deny-read glob scan depth
8a8a447 
Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai @codex
fix(sandbox): fail closed on mutable symlink carveouts
8f0ebec 
Reject Linux bwrap deny-read and read-only carveouts that cross writable symlink components instead of masking a startup-time resolved target. Also rename the glob scan depth config to glob_scan_max_depth.

Co-authored-by: Codex <noreply@openai.com>
@viyatb-oai
Merge branch 'main' into codex/viyatb/deny-read-globs-sandbox
96f20cf
@viyatb-oai viyatb-oai merged commit 0d0abe8 into main Apr 17, 2026
25 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/deny-read-globs-sandbox branch April 17, 2026 00:35
@github-actions github-actions bot locked and limited conversation to collaborators Apr 17, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@bolinfest bolinfest bolinfest approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @bolinfest