Codex Handbook
core/src/sandboxing/mod.rs 171 lines
/*Module: sandboxingCore-owned adapter types for exec/runtime plumbing. Policy selection andcommand transformation live in the codex-sandboxing crate; this module keepsthe exec-only metadata and translates transformed sandbox commands back intoExecRequest for execution.*/use crate::exec::ExecCapturePolicy;use crate::exec::ExecExpiration;use crate::exec::StdoutStream;use crate::exec::WindowsSandboxFilesystemOverrides;use crate::exec::execute_exec_request;#[cfg(target_os = "macos")]use crate::spawn::CODEX_SANDBOX_ENV_VAR;use crate::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;use codex_network_proxy::NetworkProxy;use codex_protocol::config_types::WindowsSandboxLevel;use codex_protocol::exec_output::ExecToolCallOutput;use codex_protocol::models::PermissionProfile;pub use codex_protocol::models::SandboxPermissions;use codex_protocol::permissions::FileSystemSandboxPolicy;use codex_protocol::permissions::NetworkSandboxPolicy;use codex_sandboxing::SandboxExecRequest;use codex_sandboxing::SandboxType;use codex_utils_absolute_path::AbsolutePathBuf;use std::collections::HashMap;#[derive(Debug)]pub(crate) struct ExecOptions {    pub(crate) expiration: ExecExpiration,    pub(crate) capture_policy: ExecCapturePolicy,}#[derive(Clone, Debug)]pub(crate) struct ExecServerEnvConfig {    pub(crate) policy: codex_exec_server::ExecEnvPolicy,    pub(crate) local_policy_env: HashMap<String, String>,}#[derive(Debug)]pub struct ExecRequest {    pub command: Vec<String>,    pub cwd: AbsolutePathBuf,    pub env: HashMap<String, String>,    pub(crate) exec_server_env_config: Option<ExecServerEnvConfig>,    pub network: Option<NetworkProxy>,    pub expiration: ExecExpiration,    pub capture_policy: ExecCapturePolicy,    pub sandbox: SandboxType,    pub windows_sandbox_policy_cwd: AbsolutePathBuf,    pub windows_sandbox_workspace_roots: Vec<AbsolutePathBuf>,    pub windows_sandbox_level: WindowsSandboxLevel,    pub windows_sandbox_private_desktop: bool,    pub permission_profile: PermissionProfile,    pub file_system_sandbox_policy: FileSystemSandboxPolicy,    pub network_sandbox_policy: NetworkSandboxPolicy,    pub(crate) windows_sandbox_filesystem_overrides: Option<WindowsSandboxFilesystemOverrides>,    pub arg0: Option<String>,}impl ExecRequest {    #[allow(clippy::too_many_arguments)]    pub fn new(        command: Vec<String>,        cwd: AbsolutePathBuf,        env: HashMap<String, String>,        network: Option<NetworkProxy>,        expiration: ExecExpiration,        capture_policy: ExecCapturePolicy,        sandbox: SandboxType,        windows_sandbox_workspace_roots: Vec<AbsolutePathBuf>,        windows_sandbox_level: WindowsSandboxLevel,        windows_sandbox_private_desktop: bool,        permission_profile: PermissionProfile,        arg0: Option<String>,    ) -> Self {        let windows_sandbox_policy_cwd = cwd.clone();        let (file_system_sandbox_policy, network_sandbox_policy) =            permission_profile.to_runtime_permissions();        Self {            command,            cwd,            env,            exec_server_env_config: None,            network,            expiration,            capture_policy,            sandbox,            windows_sandbox_policy_cwd,            windows_sandbox_workspace_roots,            windows_sandbox_level,            windows_sandbox_private_desktop,            permission_profile,            file_system_sandbox_policy,            network_sandbox_policy,            windows_sandbox_filesystem_overrides: None,            arg0,        }    }    pub(crate) fn from_sandbox_exec_request(        request: SandboxExecRequest,        options: ExecOptions,        windows_sandbox_workspace_roots: Vec<AbsolutePathBuf>,    ) -> Self {        let SandboxExecRequest {            command,            cwd,            sandbox_policy_cwd: windows_sandbox_policy_cwd,            mut env,            network,            sandbox,            windows_sandbox_level,            windows_sandbox_private_desktop,            permission_profile,            file_system_sandbox_policy,            network_sandbox_policy,            arg0,        } = request;        let ExecOptions {            expiration,            capture_policy,        } = options;        if !network_sandbox_policy.is_enabled() {            env.insert(                CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR.to_string(),                "1".to_string(),            );        }        #[cfg(target_os = "macos")]        if sandbox == SandboxType::MacosSeatbelt {            env.insert(CODEX_SANDBOX_ENV_VAR.to_string(), "seatbelt".to_string());        }        Self {            command,            cwd,            env,            exec_server_env_config: None,            network,            expiration,            capture_policy,            sandbox,            windows_sandbox_policy_cwd,            windows_sandbox_workspace_roots,            windows_sandbox_level,            windows_sandbox_private_desktop,            permission_profile,            file_system_sandbox_policy,            network_sandbox_policy,            windows_sandbox_filesystem_overrides: None,            arg0,        }    }}pub async fn execute_env(    exec_request: ExecRequest,    stdout_stream: Option<StdoutStream>,) -> codex_protocol::error::Result<ExecToolCallOutput> {    execute_exec_request(exec_request, stdout_stream, /*after_spawn*/ None).await}pub async fn execute_exec_request_with_after_spawn(    exec_request: ExecRequest,    stdout_stream: Option<StdoutStream>,    after_spawn: Option<Box<dyn FnOnce() + Send>>,) -> codex_protocol::error::Result<ExecToolCallOutput> {    execute_exec_request(exec_request, stdout_stream, after_spawn).await}