Skip to content

fix: honor active permission profiles in sandbox debug#14293

Merged
viyatb-oai merged 3 commits intomainfrom
codex/viyatb/debug-sandbox-permissions-profile
Mar 18, 2026
Merged

fix: honor active permission profiles in sandbox debug#14293
viyatb-oai merged 3 commits intomainfrom
codex/viyatb/debug-sandbox-permissions-profile

Conversation

@viyatb-oai
Copy link
Collaborator

@viyatb-oai viyatb-oai commented Mar 11, 2026
edited
Loading

Summary

  • stop codex sandbox from forcing legacy sandbox_mode when active [permissions] profiles are configured
  • keep the legacy read-only / workspace-write fallback for legacy configs and reject --full-auto for profile-based configs
  • use split filesystem and network policies in the macOS/Linux debug sandbox helpers and add regressions for the config-loading behavior

assuming "codex/docs/private/secret.txt" = "none"

codex -c 'default_permissions="limited-read-test"' sandbox macos -- <command> ...

codex sandbox macos -- cat codex/docs/private/secret.txt >/dev/null; echo EXIT:$?
cat: codex/docs/private/secret.txt: Operation not permitted
EXIT:1

@viyatb-oai viyatb-oai force-pushed the codex/viyatb/debug-sandbox-permissions-profile branch from 6751836 to 5d07b2f Compare March 11, 2026 02:59
@viyatb-oai viyatb-oai requested a review from bolinfest March 11, 2026 16:29
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/debug-sandbox-permissions-profile branch from 5d07b2f to d0a99a9 Compare March 11, 2026 16:52
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/debug-sandbox-permissions-profile branch 2 times, most recently from 2262c7c to 9937bb6 Compare March 11, 2026 20:18
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/debug-sandbox-permissions-profile branch from 9937bb6 to fce317e Compare March 18, 2026 00:35
@viyatb-oai viyatb-oai enabled auto-merge (squash) March 18, 2026 01:02
@viyatb-oai viyatb-oai force-pushed the codex/viyatb/debug-sandbox-permissions-profile branch from c1935e4 to 5d2e200 Compare March 18, 2026 01:03
@github-actions github-actions bot mentioned this pull request Mar 18, 2026
Open
@viyatb-oai viyatb-oai merged commit 6fe8a05 into main Mar 18, 2026
33 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/debug-sandbox-permissions-profile branch March 18, 2026 01:52
@github-actions github-actions bot locked and limited conversation to collaborators Mar 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@celia-oai celia-oai celia-oai approved these changes

@bolinfest bolinfest Awaiting requested review from bolinfest

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @celia-oai