Conversation
This was referenced Apr 17, 2026
bolinfest
force-pushed
the
pr18282
branch
2 times, most recently
from
bc7e463 to
41ebc4d
Compare
bolinfest
force-pushed
the
pr18283
branch
2 times, most recently
from
8b4d2a2 to
e5f2e57
Compare
bolinfest
force-pushed
the
pr18283
branch
2 times, most recently
from
a9a5407 to
e600010
Compare
bolinfest
added a commit
that referenced
this pull request
Apr 21, 2026
## Why #18274 made `PermissionProfile` the canonical file-system permissions shape, but the round-trip from `FileSystemSandboxPolicy` to `PermissionProfile` still dropped one piece of policy metadata: `glob_scan_max_depth`. That field is security-relevant for deny-read globs such as `**/*.env`. On Linux, bubblewrap sandbox construction uses it to bound unreadable glob expansion. If a profile copied from active runtime permissions loses this value and is submitted back as an override, the resulting `FileSystemSandboxPolicy` can behave differently even though the visible permission entries look equivalent. ## What changed - Add `glob_scan_max_depth` to protocol `FileSystemPermissions` and preserve it when converting to/from `FileSystemSandboxPolicy`. - Keep legacy `read`/`write` JSON for simple path-only permissions, but force canonical JSON when glob scan depth is present so the metadata is not silently dropped. - Carry `globScanMaxDepth` through app-server `AdditionalFileSystemPermissions`, generated JSON/TypeScript schemas, and app-server/TUI conversion call sites. - Preserve the metadata through sandboxing permission normalization, merging, and intersection. - Carry the merged scan depth into the effective `FileSystemSandboxPolicy` used for command execution, so bounded deny-read globs reach Linux bubblewrap materialization. ## Verification - `cargo test -p codex-sandboxing glob_scan -- --nocapture` - `cargo test -p codex-sandboxing policy_transforms -- --nocapture` - `just fix -p codex-sandboxing` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/18713). * #18288 * #18287 * #18286 * #18285 * #18284 * #18283 * #18282 * #18281 * #18280 * #18279 * #18278 * #18277 * #18276 * #18275 * __->__ #18713
bolinfest
force-pushed
the
pr18283
branch
3 times, most recently
from
e28c7f4 to
76a5cf7
Compare
bolinfest
force-pushed
the
pr18282
branch
2 times, most recently
from
e17a9a2 to
f4b6873
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
command/execis another app-server entry point that can run under caller-provided permissions. It needs to acceptPermissionProfiledirectly so command execution is not left behind onSandboxPolicywhile thread APIs move forward.What changed
This adds
permissionProfiletoCommandExecParams, rejects requests that combine it withsandboxPolicy, converts the profile into execution permissions, updates app-server docs/schema fixtures, and adds command-exec coverage for both the accepted and rejected paths.Verification
cargo test -p codex-app-server command_exec_accepts_permission_profile -- --nocapturecargo test -p codex-app-server command_exec_rejects_sandbox_policy_with_permission_profile -- --nocaptureStack created with Sapling. Best reviewed with ReviewStack.