Skip to content

fix: introduce AbsolutePathBuf as part of sandbox config #7856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bolinfest merged 1 commit into from
Dec 12, 2025
Merged

fix: introduce AbsolutePathBuf as part of sandbox config #7856

bolinfest merged 1 commit into from
Dec 12, 2025
+277 −122

Conversation

@bolinfest
Copy link
Collaborator

@bolinfest bolinfest commented Dec 11, 2025
edited
Loading

Changes the writable_roots field of the WorkspaceWrite variant of the SandboxPolicy enum from Vec<PathBuf> to Vec<AbsolutePathBuf>. This is helpful because now callers can be sure the value is an absolute path rather than a relative one. (Though when using an absolute path in a Seatbelt config policy, we still have to canonicalize it first.)

Because writable_roots can be read from a config file, it is important that we are able to resolve relative paths properly using the parent folder of the config file as the base path.

@bolinfest bolinfest force-pushed the pr7856 branch 11 times, most recently from 10b4572 to e566a32 Compare December 11, 2025 05:08
@bolinfest bolinfest force-pushed the pr7856 branch 3 times, most recently from 9c2d4e4 to d39d29f Compare December 12, 2025 06:21
pakrym-oai
pakrym-oai reviewed Dec 12, 2025
View reviewed changes
codex-rs/core/src/environment_context.rs

#[test]
fn serialize_workspace_write_environment_context() {
let cwd = if cfg!(windows) { "C:\\repo" } else { "/repo" };
Copy link
Collaborator

@pakrym-oai pakrym-oai Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we need path helpers. Some of these don't actually need to be real.

test_path_does_not_matter("/repo")
test_path_tmp()

etc.
Would be a shame to embed cfg!(windows) into so many places to get all tests to work for windows.

pakrym-oai
pakrym-oai reviewed Dec 12, 2025
View reviewed changes
codex-rs/protocol/src/protocol.rs
roots.push(tmpdir_path);
} else {
error!(
"Ignoring invalid TMPDIR value {tmpdir:?} for sandbox writable root",
Copy link
Collaborator

@pakrym-oai pakrym-oai Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit maybe include error

@bolinfest
Copy link
Collaborator Author

bolinfest commented Dec 12, 2025

@pakrym-oai good points: I'll try to address in a follow-up before this PR starts incurring hard-to-fix merge conflicts!

@bolinfest bolinfest merged commit 642b756 into main Dec 12, 2025
26 checks passed
@bolinfest bolinfest deleted the pr7856 branch December 12, 2025 23:25
@github-actions github-actions bot locked and limited conversation to collaborators Dec 12, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pakrym-oai pakrym-oai pakrym-oai approved these changes

@gverma-openai gverma-openai Awaiting requested review from gverma-openai

@gt-oai gt-oai Awaiting requested review from gt-oai

@jif-oai jif-oai Awaiting requested review from jif-oai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bolinfest @pakrym-oai