Reserve missing preserved paths in Linux sandbox policy

[evawong-oai]

Summary

This PR protects preserved workspace metadata paths under workspace write sandboxes without breaking normal Git discovery. The preserved paths are .git, .codex, and .agents.

BUGB 15632 tracks the Bugcrowd submission.

Root Cause

The previous policy only treated .git and .agents as protected after they already existed. That left a first run gap where sandboxed code in a new workspace could create .git/config.

The report used git init followed by a Git config value that could persist on the host. A later host side Git command could then load attacker controlled repo metadata.

The hard part is that missing .git cannot always be handled the same way as .codex and .agents. If Codex runs inside a subdirectory of an existing Git repo or worktree, materializing a child .git changes Git discovery and hides the valid parent repo. In that case the child .git must stay absent, and creation must be blocked before the sandboxed command runs.

Design

1. The protocol layer centralizes preserved workspace metadata names and derives default read only carveouts for writable roots.
2. Existing .git, .codex, and .agents paths stay read only under default writable roots.
3. Missing .codex and .agents are reserved under writable roots so first creation is blocked.
4. Missing .git is reserved only when doing so does not break Git discovery.
5. Missing child .git under a valid parent repo or worktree stays absent so normal git status and git rev parse keep discovering the parent.
6. Preserved path write detection lives in the shell command crate and is reused by both codex sandbox and normal Codex shell tool execution.
7. That shared guard blocks preserved path writes that cannot be represented safely as sandbox mounts. This covers git init, common file commands, and literal shell redirection targets.
8. Linux bwrap setup masks representable missing preserved paths with /dev/null, treats transient empty preserved files as synthetic when another active sandbox owns them, and cleans synthetic placeholders after bwrap exits.
9. The Linux launcher keeps a parent process only when cleanup is needed, forwards termination signals to the bwrap child process group, clears the child pid after wait, and then runs cleanup.
10. The bwrap mount helper state is held in one local context so preserved files and synthetic cleanup targets stay in sync.

Reviewer Collaboration

1. Viyat found that child .git materialization broke parent repo discovery. The PR now leaves child .git absent under a valid ancestor repo or worktree and blocks creation through the command guard.
2. Viyat found that overlapping Linux sandboxes could leave zero byte .git, .codex, and .agents placeholders. The PR now treats empty preserved paths with active synthetic ownership as synthetic and removes them when the last owner exits, while preserving real prior empty files.
3. Michael pointed out that the codex sandbox entrypoint had too much preserved path policy logic. The latest head moves that logic into shared shell command code and keeps the debug sandbox entrypoint as a caller of the shared guard.

Validation

Current PR head: f8f8584923d3e1b9d9e19ffb1d67cb60de96a876.

1. GitHub Actions is green on the current head, including Rust CI, Bazel, Blob size policy, Codespell, cargo deny, SDK, and CLA.
2. Earlier local validation passed formatting, diff whitespace, the focused protocol permission tests with Cargo and Bazel, the full protocol crate test suite with Cargo, and the full Bazel protocol unit target.
3. Latest Linux devbox validation passed native cases 1 through 45 on the current head.
4. Latest Linux devbox validation also passed Viyat's parent repo subdirectory workflow when run as the real split flow: parent Git discovery works, git init and mkdir .codex are blocked, normal JSONL viewer coding works, and no .git, .codex, or .agents placeholders remain afterward.
5. The latest push only moves preserved path command detection out of codex sandbox and into shared shell command code, then wires the CLI and core shell paths through the same guard.

[evawong-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Nice work!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[evawong-oai]

Reviewer evidence update.

I extended the same preserved path rule to missing .agents. The existing .agents directory was already protected when present. The missing case now follows .git and .codex for the active workspace root, while explicit user write rules still win.

I also reran linked worktree validation on a Linux devbox with system bwrap installed at /usr/bin/bwrap, version 0.9.0. The .git worktree pointer case passed. Normal writes inside the worktree succeeded. Overwriting .git, replacing .git, and writing through the resolved gitdir were blocked. The pointer file stayed unchanged and no .git directory was created.

I fixed the devbox validation gap where blocked missing .codex and .agents attempts left zero byte host files. The Linux bwrap path now tracks synthetic missing mount targets, runs bwrap in a child only when cleanup is needed, removes only zero byte synthetic targets after preflight and the real run, then preserves the bwrap exit status.

The rerun passed on the Linux devbox with system bwrap at /usr/bin/bwrap, version 0.9.0, against commit 87f8ccb2bc22abb0e2c403da30866ae014941ae7. Normal checkout and linked worktree cases passed for .codex, .git, and .agents. Missing .codex and .agents writes were blocked and left no host side file or directory immediately after the sandbox command returned. Normal writes still succeeded, the linked .git pointer stayed unchanged, and resolved gitdir writes stayed blocked. The validation transcript did not contain the previous proc mount setup error.

I also locally passed sandboxing crate tests, protocol crate tests, format check, and whitespace diff check.

The branch remains one commit, now 87f8ccb2bc22abb0e2c403da30866ae014941ae7.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: be03010efb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bolinfest]

Something feels off: this the logic that powers codex sandbox. This file should be small, as it should be calling into existing library code. This seems off.

[bolinfest]

Why are we special-casing things?