codex: address remaining sandbox review feedback (#16736)

starr-openai · codex · starr-openai · commit ce6f4443eb19 · 2026-04-07T14:32:38.000-07:00
Co-authored-by: Codex &lt;noreply@openai.com&gt;
diff --git a/codex-rs/core/src/exec.rs b/codex-rs/core/src/exec.rs
@@ -40,7 +40,6 @@ use codex_protocol::protocol::ExecOutputStream;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_sandboxing::SandboxCommand;
 use codex_sandboxing::SandboxManager;
-use codex_sandboxing::SandboxTransformRequest;
 use codex_sandboxing::SandboxType;
 use codex_sandboxing::SandboxablePreference;
 use codex_utils_absolute_path::AbsolutePathBuf;
@@ -284,20 +283,20 @@ pub fn build_exec_request(
         capture_policy,
     };
     let mut exec_req = manager
-        .transform(SandboxTransformRequest {
+        .transform(
             command,
-            policy: sandbox_policy,
-            file_system_policy: file_system_sandbox_policy,
-            network_policy: network_sandbox_policy,
-            sandbox: sandbox_type,
+            sandbox_policy,
+            file_system_sandbox_policy,
+            network_sandbox_policy,
+            sandbox_type,
             enforce_managed_network,
-            network: network.as_ref(),
-            sandbox_policy_cwd: sandbox_cwd,
-            codex_linux_sandbox_exe: codex_linux_sandbox_exe.as_ref(),
+            network.as_ref(),
+            sandbox_cwd,
+            codex_linux_sandbox_exe.as_ref(),
             use_legacy_landlock,
             windows_sandbox_level,
             windows_sandbox_private_desktop,
-        })
+        )
         .map(|request| ExecRequest::from_sandbox_exec_request(request, options))
         .map_err(CodexErr::from)?;
     exec_req.windows_restricted_token_filesystem_overlay =
diff --git a/codex-rs/core/src/tools/js_repl/mod.rs b/codex-rs/core/src/tools/js_repl/mod.rs
@@ -43,7 +43,6 @@ use crate::tools::ToolRouter;
 use crate::tools::context::SharedTurnDiffTracker;
 use codex_sandboxing::SandboxCommand;
 use codex_sandboxing::SandboxManager;
-use codex_sandboxing::SandboxTransformRequest;
 use codex_sandboxing::SandboxablePreference;
 use codex_tools::ToolSpec;
 use codex_utils_output_truncation::TruncationPolicy;
@@ -1059,23 +1058,20 @@ impl JsReplManager {
             capture_policy: ExecCapturePolicy::ShellTool,
         };
         let exec_env = sandbox
-            .transform(SandboxTransformRequest {
+            .transform(
                 command,
-                policy: &turn.sandbox_policy,
-                file_system_policy: &turn.file_system_sandbox_policy,
-                network_policy: turn.network_sandbox_policy,
-                sandbox: sandbox_type,
-                enforce_managed_network: has_managed_network_requirements,
-                network: None,
-                sandbox_policy_cwd: &turn.cwd,
-                codex_linux_sandbox_exe: turn.codex_linux_sandbox_exe.as_ref(),
-                use_legacy_landlock: turn.features.use_legacy_landlock(),
-                windows_sandbox_level: turn.windows_sandbox_level,
-                windows_sandbox_private_desktop: turn
-                    .config
-                    .permissions
-                    .windows_sandbox_private_desktop,
-            })
+                &turn.sandbox_policy,
+                &turn.file_system_sandbox_policy,
+                turn.network_sandbox_policy,
+                sandbox_type,
+                has_managed_network_requirements,
+                None,
+                &turn.cwd,
+                turn.codex_linux_sandbox_exe.as_ref(),
+                turn.features.use_legacy_landlock(),
+                turn.windows_sandbox_level,
+                turn.config.permissions.windows_sandbox_private_desktop,
+            )
             .map(|request| {
                 crate::sandboxing::ExecRequest::from_sandbox_exec_request(request, options)
             })
diff --git a/codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs b/codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs
@@ -34,7 +34,6 @@ use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_sandboxing::SandboxCommand;
 use codex_sandboxing::SandboxManager;
-use codex_sandboxing::SandboxTransformRequest;
 use codex_sandboxing::SandboxType;
 use codex_sandboxing::SandboxablePreference;
 use codex_shell_command::bash::parse_shell_lc_plain_commands;
@@ -835,20 +834,20 @@ impl CoreShellCommandExecutor {
             expiration: ExecExpiration::DefaultTimeout,
             capture_policy: ExecCapturePolicy::ShellTool,
         };
-        let exec_request = sandbox_manager.transform(SandboxTransformRequest {
+        let exec_request = sandbox_manager.transform(
             command,
-            policy: sandbox_policy,
-            file_system_policy: file_system_sandbox_policy,
-            network_policy: network_sandbox_policy,
+            sandbox_policy,
+            file_system_sandbox_policy,
+            network_sandbox_policy,
             sandbox,
-            enforce_managed_network: self.network.is_some(),
-            network: self.network.as_ref(),
-            sandbox_policy_cwd: &self.sandbox_policy_cwd,
-            codex_linux_sandbox_exe: self.codex_linux_sandbox_exe.as_ref(),
-            use_legacy_landlock: self.use_legacy_landlock,
-            windows_sandbox_level: self.windows_sandbox_level,
-            windows_sandbox_private_desktop: false,
-        })?;
+            self.network.is_some(),
+            self.network.as_ref(),
+            &self.sandbox_policy_cwd,
+            self.codex_linux_sandbox_exe.as_ref(),
+            self.use_legacy_landlock,
+            self.windows_sandbox_level,
+            false,
+        )?;
         let mut exec_request =
             crate::sandboxing::ExecRequest::from_sandbox_exec_request(exec_request, options);
         if let Some(network) = exec_request.network.as_ref() {
diff --git a/codex-rs/core/src/tools/runtimes/unified_exec.rs b/codex-rs/core/src/tools/runtimes/unified_exec.rs
@@ -86,12 +86,12 @@ pub struct UnifiedExecRuntime<'a> {
 fn build_remote_exec_sandbox_config(
     attempt: &SandboxAttempt<'_>,
     additional_permissions: Option<PermissionProfile>,
-) -> Option<SandboxLaunchConfig> {
+) -> SandboxLaunchConfig {
     if matches!(attempt.sandbox, codex_sandboxing::SandboxType::None) {
-        return None;
+        return SandboxLaunchConfig::no_sandbox(attempt.sandbox_cwd.to_path_buf());
     }
 
-    Some(SandboxLaunchConfig {
+    SandboxLaunchConfig {
         sandbox: attempt.sandbox,
         policy: attempt.policy.clone(),
         file_system_policy: attempt.file_system_policy.clone(),
@@ -102,7 +102,7 @@ fn build_remote_exec_sandbox_config(
         windows_sandbox_level: attempt.windows_sandbox_level,
         windows_sandbox_private_desktop: attempt.windows_sandbox_private_desktop,
         use_legacy_landlock: attempt.use_legacy_landlock,
-    })
+    }
 }
 
 impl<'a> UnifiedExecRuntime<'a> {
@@ -248,12 +248,6 @@ impl<'a> ToolRuntime<UnifiedExecRequest, UnifiedExecProcess> for UnifiedExecRunt
                         .to_string(),
                 ));
             }
-            if req.network.is_some() {
-                return Err(ToolError::Rejected(
-                    "unified_exec managed-network is not supported when exec_server_url is configured"
-                        .to_string(),
-                ));
-            }
             let exec_params = codex_exec_server::ExecParams {
                 process_id: req.process_id.to_string().into(),
                 argv: command,
diff --git a/codex-rs/core/src/tools/sandboxing.rs b/codex-rs/core/src/tools/sandboxing.rs
@@ -24,7 +24,6 @@ use codex_protocol::protocol::SandboxPolicy;
 use codex_sandboxing::SandboxCommand;
 use codex_sandboxing::SandboxManager;
 use codex_sandboxing::SandboxTransformError;
-use codex_sandboxing::SandboxTransformRequest;
 use codex_sandboxing::SandboxType;
 use codex_sandboxing::SandboxablePreference;
 use futures::Future;
@@ -339,20 +338,20 @@ impl<'a> SandboxAttempt<'a> {
         network: Option<&NetworkProxy>,
     ) -> Result<crate::sandboxing::ExecRequest, SandboxTransformError> {
         self.manager
-            .transform(SandboxTransformRequest {
+            .transform(
                 command,
-                policy: self.policy,
-                file_system_policy: self.file_system_policy,
-                network_policy: self.network_policy,
-                sandbox: self.sandbox,
-                enforce_managed_network: self.enforce_managed_network,
+                self.policy,
+                self.file_system_policy,
+                self.network_policy,
+                self.sandbox,
+                self.enforce_managed_network,
                 network,
-                sandbox_policy_cwd: self.sandbox_cwd,
-                codex_linux_sandbox_exe: self.codex_linux_sandbox_exe,
-                use_legacy_landlock: self.use_legacy_landlock,
-                windows_sandbox_level: self.windows_sandbox_level,
-                windows_sandbox_private_desktop: self.windows_sandbox_private_desktop,
-            })
+                self.sandbox_cwd,
+                self.codex_linux_sandbox_exe,
+                self.use_legacy_landlock,
+                self.windows_sandbox_level,
+                self.windows_sandbox_private_desktop,
+            )
             .map(|request| {
                 crate::sandboxing::ExecRequest::from_sandbox_exec_request(request, options)
             })
diff --git a/codex-rs/core/src/unified_exec/mod.rs b/codex-rs/core/src/unified_exec/mod.rs
@@ -12,7 +12,7 @@
 //! Flow at a glance (open process)
 //! 1) Build a small request `{ command, cwd }`.
 //! 2) Orchestrator: approval (bypass/cache/prompt) → select sandbox → run.
-//! 3) Runtime: transform `SandboxTransformRequest` -> `ExecRequest` -> spawn PTY.
+//! 3) Runtime: transform sandbox config -> `ExecRequest` -> spawn PTY.
 //! 4) If denial, orchestrator retries with `SandboxType::None`.
 //! 5) Process handle is returned with streaming output + metadata.
 //!
diff --git a/codex-rs/core/src/unified_exec/process_manager.rs b/codex-rs/core/src/unified_exec/process_manager.rs
@@ -609,7 +609,7 @@ impl UnifiedExecProcessManager {
                     env: env.env.clone(),
                     tty,
                     arg0: env.arg0.clone(),
-                    sandbox: None,
+                    sandbox: codex_sandboxing::SandboxLaunchConfig::no_sandbox(env.cwd.clone()),
                 })
                 .await
                 .map_err(|err| UnifiedExecError::create_process(err.to_string()))?;
diff --git a/codex-rs/exec-server/src/environment.rs b/codex-rs/exec-server/src/environment.rs
@@ -160,6 +160,7 @@ mod tests {
     use super::Environment;
     use super::EnvironmentManager;
     use crate::ProcessId;
+    use codex_sandboxing::SandboxLaunchConfig;
     use pretty_assertions::assert_eq;
 
     #[tokio::test]
@@ -202,7 +203,9 @@ mod tests {
                 env: Default::default(),
                 tty: false,
                 arg0: None,
-                sandbox: None,
+                sandbox: SandboxLaunchConfig::no_sandbox(
+                    std::env::current_dir().expect("read current dir"),
+                ),
             })
             .await
             .expect("start process");
diff --git a/codex-rs/exec-server/src/local_process.rs b/codex-rs/exec-server/src/local_process.rs
@@ -9,14 +9,9 @@ use std::time::Duration;
 
 use async_trait::async_trait;
 use codex_app_server_protocol::JSONRPCErrorError;
-use codex_protocol::config_types::WindowsSandboxLevel;
-use codex_protocol::permissions::FileSystemSandboxPolicy;
-use codex_protocol::permissions::NetworkSandboxPolicy;
-use codex_protocol::protocol::SandboxPolicy;
 use codex_sandboxing::SandboxCommand;
 use codex_sandboxing::SandboxExecRequest;
 use codex_sandboxing::SandboxType;
-use codex_sandboxing::landlock::CODEX_LINUX_SANDBOX_ARG0;
 use codex_utils_pty::ExecCommandSession;
 use codex_utils_pty::TerminalSize;
 use tokio::sync::Mutex;
@@ -110,14 +105,8 @@ struct ExecServerRuntimeConfig {
 impl ExecServerRuntimeConfig {
     fn detect() -> Self {
         let env_path = std::env::var_os("CODEX_LINUX_SANDBOX_EXE").map(PathBuf::from);
-        let sibling_path = std::env::current_exe().ok().and_then(|current_exe| {
-            current_exe
-                .parent()
-                .map(|parent| parent.join(CODEX_LINUX_SANDBOX_ARG0))
-                .filter(|candidate| candidate.exists())
-        });
         Self {
-            codex_linux_sandbox_exe: env_path.or(sibling_path),
+            codex_linux_sandbox_exe: env_path,
         }
     }
 }
@@ -523,29 +512,14 @@ fn prepare_exec_launch(
     params: &ExecParams,
     runtime: &ExecServerRuntimeConfig,
 ) -> Result<SandboxExecRequest, JSONRPCErrorError> {
-    let Some(sandbox) = params.sandbox.as_ref() else {
-        return Ok(SandboxExecRequest {
-            command: params.argv.clone(),
-            cwd: params.cwd.clone(),
-            env: params.env.clone(),
-            arg0: params.arg0.clone(),
-            network: None,
-            sandbox: SandboxType::None,
-            windows_sandbox_level: WindowsSandboxLevel::Disabled,
-            windows_sandbox_private_desktop: false,
-            sandbox_policy: SandboxPolicy::DangerFullAccess,
-            file_system_sandbox_policy: FileSystemSandboxPolicy::unrestricted(),
-            network_sandbox_policy: NetworkSandboxPolicy::Enabled,
-        });
-    };
-
     let command = build_sandbox_command(
         &params.argv,
         params.cwd.as_path(),
         &params.env,
-        sandbox.additional_permissions.clone(),
+        params.sandbox.additional_permissions.clone(),
     )?;
-    sandbox
+    params
+        .sandbox
         .transform(
             command,
             // TODO: Thread managed-network proxy state across exec-server so
diff --git a/codex-rs/exec-server/src/protocol.rs b/codex-rs/exec-server/src/protocol.rs
@@ -62,7 +62,7 @@ pub struct ExecParams {
     pub env: HashMap<String, String>,
     pub tty: bool,
     pub arg0: Option<String>,
-    pub sandbox: Option<SandboxLaunchConfig>,
+    pub sandbox: SandboxLaunchConfig,
 }
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
diff --git a/codex-rs/exec-server/src/remote_process.rs b/codex-rs/exec-server/src/remote_process.rs
@@ -1,7 +1,6 @@
 use std::sync::Arc;
 
 use async_trait::async_trait;
-use codex_sandboxing::SandboxType;
 use tokio::sync::watch;
 use tracing::trace;
 
@@ -35,10 +34,7 @@ impl RemoteProcess {
 impl ExecBackend for RemoteProcess {
     async fn start(&self, params: ExecParams) -> Result<StartedExecProcess, ExecServerError> {
         let process_id = params.process_id.clone();
-        let sandbox_type = params
-            .sandbox
-            .as_ref()
-            .map_or(SandboxType::None, |sandbox| sandbox.sandbox);
+        let sandbox_type = params.sandbox.sandbox;
         let session = self.client.register_session(&process_id).await?;
         match self.client.exec(params).await {
             Ok(_) => {}
diff --git a/codex-rs/exec-server/src/server/handler/tests.rs b/codex-rs/exec-server/src/server/handler/tests.rs
@@ -12,6 +12,7 @@ use crate::protocol::InitializeResponse;
 use crate::protocol::TerminateParams;
 use crate::protocol::TerminateResponse;
 use crate::rpc::RpcNotificationSender;
+use codex_sandboxing::SandboxLaunchConfig;
 
 fn exec_params(process_id: &str) -> ExecParams {
     let mut env = HashMap::new();
@@ -29,7 +30,7 @@ fn exec_params(process_id: &str) -> ExecParams {
         env,
         tty: false,
         arg0: None,
-        sandbox: None,
+        sandbox: SandboxLaunchConfig::no_sandbox(std::env::current_dir().expect("cwd")),
     }
 }
 
diff --git a/codex-rs/exec-server/tests/exec_process.rs b/codex-rs/exec-server/tests/exec_process.rs
diff --git a/codex-rs/sandboxing/src/lib.rs b/codex-rs/sandboxing/src/lib.rs
diff --git a/codex-rs/sandboxing/src/manager.rs b/codex-rs/sandboxing/src/manager.rs
diff --git a/codex-rs/sandboxing/src/manager_tests.rs b/codex-rs/sandboxing/src/manager_tests.rs

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ pub struct ExecParams {`
`62`	`62`	`pub env: HashMap<String, String>,`
`63`	`63`	`pub tty: bool,`
`64`	`64`	`pub arg0: Option<String>,`
`65`		`- pub sandbox: Option<SandboxLaunchConfig>,`
	`65`	`+ pub sandbox: SandboxLaunchConfig,`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]`