From 40ba3162cc96aeabb97b85b83c0833b88dfbaff3 Mon Sep 17 00:00:00 2001 From: Michael Bolin Date: Thu, 19 Mar 2026 09:18:57 -0700 Subject: [PATCH] core: route view_image through a sandbox-backed fs helper --- codex-rs/Cargo.lock | 14 ++ codex-rs/Cargo.toml | 2 + codex-rs/arg0/Cargo.toml | 1 + codex-rs/arg0/src/lib.rs | 12 ++ codex-rs/core/Cargo.toml | 1 + codex-rs/core/src/exec.rs | 133 ++++++++++++ codex-rs/core/src/lib.rs | 1 + codex-rs/core/src/sandboxed_fs.rs | 197 ++++++++++++++++++ codex-rs/core/src/sandboxing/mod.rs | 16 ++ .../core/src/tools/handlers/view_image.rs | 69 +++--- codex-rs/core/tests/suite/view_image.rs | 110 ++++++++++ codex-rs/fs-ops/BUILD.bazel | 6 + codex-rs/fs-ops/Cargo.toml | 22 ++ codex-rs/fs-ops/src/command.rs | 38 ++++ codex-rs/fs-ops/src/command_tests.rs | 16 ++ codex-rs/fs-ops/src/constants.rs | 3 + codex-rs/fs-ops/src/error.rs | 70 +++++++ codex-rs/fs-ops/src/lib.rs | 13 ++ codex-rs/fs-ops/src/runner.rs | 55 +++++ codex-rs/fs-ops/src/runner_tests.rs | 76 +++++++ codex-rs/utils/image/src/lib.rs | 1 - 21 files changed, 823 insertions(+), 33 deletions(-) create mode 100644 codex-rs/core/src/sandboxed_fs.rs create mode 100644 codex-rs/fs-ops/BUILD.bazel create mode 100644 codex-rs/fs-ops/Cargo.toml create mode 100644 codex-rs/fs-ops/src/command.rs create mode 100644 codex-rs/fs-ops/src/command_tests.rs create mode 100644 codex-rs/fs-ops/src/constants.rs create mode 100644 codex-rs/fs-ops/src/error.rs create mode 100644 codex-rs/fs-ops/src/lib.rs create mode 100644 codex-rs/fs-ops/src/runner.rs create mode 100644 codex-rs/fs-ops/src/runner_tests.rs diff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock index d6a13a3d4c89..23d7d6107fcb 100644 --- a/codex-rs/Cargo.lock +++ b/codex-rs/Cargo.lock @@ -1557,6 +1557,7 @@ version = "0.0.0" dependencies = [ "anyhow", "codex-apply-patch", + "codex-fs-ops", "codex-linux-sandbox", "codex-shell-escalation", "codex-utils-home-dir", @@ -1846,6 +1847,7 @@ dependencies = [ "codex-environment", "codex-execpolicy", "codex-file-search", + "codex-fs-ops", "codex-git", "codex-hooks", "codex-keyring-store", @@ -2077,6 +2079,18 @@ dependencies = [ "tokio", ] +[[package]] +name = "codex-fs-ops" +version = "0.0.0" +dependencies = [ + "anyhow", + "base64 0.22.1", + "pretty_assertions", + "serde", + "serde_json", + "tempfile", +] + [[package]] name = "codex-git" version = "0.0.0" diff --git a/codex-rs/Cargo.toml b/codex-rs/Cargo.toml index 35ff64195ea3..3508c38de42c 100644 --- a/codex-rs/Cargo.toml +++ b/codex-rs/Cargo.toml @@ -11,6 +11,7 @@ members = [ "apply-patch", "arg0", "feedback", + "fs-ops", "codex-backend-openapi-models", "cloud-requirements", "cloud-tasks", @@ -109,6 +110,7 @@ codex-exec = { path = "exec" } codex-execpolicy = { path = "execpolicy" } codex-experimental-api-macros = { path = "codex-experimental-api-macros" } codex-feedback = { path = "feedback" } +codex-fs-ops = { path = "fs-ops" } codex-file-search = { path = "file-search" } codex-git = { path = "utils/git" } codex-hooks = { path = "hooks" } diff --git a/codex-rs/arg0/Cargo.toml b/codex-rs/arg0/Cargo.toml index abe7277d9499..10c31eac5ee8 100644 --- a/codex-rs/arg0/Cargo.toml +++ b/codex-rs/arg0/Cargo.toml @@ -14,6 +14,7 @@ workspace = true [dependencies] anyhow = { workspace = true } codex-apply-patch = { workspace = true } +codex-fs-ops = { workspace = true } codex-linux-sandbox = { workspace = true } codex-shell-escalation = { workspace = true } codex-utils-home-dir = { workspace = true } diff --git a/codex-rs/arg0/src/lib.rs b/codex-rs/arg0/src/lib.rs index d8dbaaa30da7..321a2c73a8f0 100644 --- a/codex-rs/arg0/src/lib.rs +++ b/codex-rs/arg0/src/lib.rs @@ -4,6 +4,7 @@ use std::path::Path; use std::path::PathBuf; use codex_apply_patch::CODEX_CORE_APPLY_PATCH_ARG1; +use codex_fs_ops::CODEX_CORE_FS_OPS_ARG1; use codex_utils_home_dir::find_codex_home; #[cfg(unix)] use std::os::unix::fs::symlink; @@ -105,6 +106,17 @@ pub fn arg0_dispatch() -> Option { }; std::process::exit(exit_code); } + if argv1 == CODEX_CORE_FS_OPS_ARG1 { + let mut stdin = std::io::stdin(); + let mut stdout = std::io::stdout(); + let mut stderr = std::io::stderr(); + let exit_code = + match codex_fs_ops::run_from_args(args, &mut stdin, &mut stdout, &mut stderr) { + Ok(()) => 0, + Err(_) => 1, + }; + std::process::exit(exit_code); + } // This modifies the environment, which is not thread-safe, so do this // before creating any threads/the Tokio runtime. diff --git a/codex-rs/core/Cargo.toml b/codex-rs/core/Cargo.toml index d11e20981395..df8924018d8d 100644 --- a/codex-rs/core/Cargo.toml +++ b/codex-rs/core/Cargo.toml @@ -38,6 +38,7 @@ codex-environment = { workspace = true } codex-shell-command = { workspace = true } codex-skills = { workspace = true } codex-execpolicy = { workspace = true } +codex-fs-ops = { workspace = true } codex-file-search = { workspace = true } codex-git = { workspace = true } codex-hooks = { workspace = true } diff --git a/codex-rs/core/src/exec.rs b/codex-rs/core/src/exec.rs index 3569917b5cac..7d5d71d45100 100644 --- a/codex-rs/core/src/exec.rs +++ b/codex-rs/core/src/exec.rs @@ -332,6 +332,58 @@ pub(crate) async fn execute_exec_request( finalize_exec_result(raw_output_result, sandbox, duration) } +pub(crate) async fn execute_exec_request_bytes( + exec_request: ExecRequest, + sandbox_policy: &SandboxPolicy, + stdout_stream: Option, + after_spawn: Option>, +) -> Result { + let ExecRequest { + command, + cwd, + env, + network, + expiration, + sandbox, + windows_sandbox_level, + windows_sandbox_private_desktop, + sandbox_permissions, + sandbox_policy: _sandbox_policy_from_env, + file_system_sandbox_policy, + network_sandbox_policy, + justification, + arg0, + } = exec_request; + let _ = _sandbox_policy_from_env; + + let params = ExecParams { + command, + cwd, + expiration, + env, + network: network.clone(), + sandbox_permissions, + windows_sandbox_level, + windows_sandbox_private_desktop, + justification, + arg0, + }; + + let start = Instant::now(); + let raw_output_result = exec( + params, + sandbox, + sandbox_policy, + &file_system_sandbox_policy, + network_sandbox_policy, + stdout_stream, + after_spawn, + ) + .await; + let duration = start.elapsed(); + finalize_exec_result_bytes(raw_output_result, sandbox, duration) +} + #[cfg(target_os = "windows")] fn extract_create_process_as_user_error_code(err: &str) -> Option { let marker = "CreateProcessAsUserW failed: "; @@ -574,6 +626,64 @@ fn finalize_exec_result( } } +fn finalize_exec_result_bytes( + raw_output_result: std::result::Result, + sandbox_type: SandboxType, + duration: Duration, +) -> Result { + match raw_output_result { + Ok(raw_output) => { + #[allow(unused_mut)] + let mut timed_out = raw_output.timed_out; + + #[cfg(target_family = "unix")] + { + if let Some(signal) = raw_output.exit_status.signal() { + if signal == TIMEOUT_CODE { + timed_out = true; + } else { + return Err(CodexErr::Sandbox(SandboxErr::Signal(signal))); + } + } + } + + let mut exit_code = raw_output.exit_status.code().unwrap_or(-1); + if timed_out { + exit_code = EXEC_TIMEOUT_EXIT_CODE; + } + + let exec_output = ExecToolCallOutputBytes { + exit_code, + stdout: raw_output.stdout, + stderr: raw_output.stderr, + aggregated_output: raw_output.aggregated_output, + duration, + timed_out, + }; + + if timed_out { + return Err(CodexErr::Sandbox(SandboxErr::Timeout { + output: Box::new(exec_output.to_utf8_lossy_output()), + })); + } + + let string_output = exec_output.to_utf8_lossy_output(); + if is_likely_sandbox_denied(sandbox_type, &string_output) { + return Err(CodexErr::Sandbox(SandboxErr::Denied { + output: Box::new(string_output), + network_policy_decision: None, + })); + } + + Ok(exec_output) + } + Err(err) => { + tracing::error!("exec error: {err}"); + Err(err) + } + } +} + pub(crate) mod errors { use super::CodexErr; use crate::sandboxing::SandboxTransformError; @@ -741,6 +851,16 @@ pub struct ExecToolCallOutput { pub timed_out: bool, } +#[derive(Clone, Debug)] +pub(crate) struct ExecToolCallOutputBytes { + pub exit_code: i32, + pub stdout: StreamOutput>, + pub stderr: StreamOutput>, + pub aggregated_output: StreamOutput>, + pub duration: Duration, + pub timed_out: bool, +} + impl Default for ExecToolCallOutput { fn default() -> Self { Self { @@ -754,6 +874,19 @@ impl Default for ExecToolCallOutput { } } +impl ExecToolCallOutputBytes { + fn to_utf8_lossy_output(&self) -> ExecToolCallOutput { + ExecToolCallOutput { + exit_code: self.exit_code, + stdout: self.stdout.from_utf8_lossy(), + stderr: self.stderr.from_utf8_lossy(), + aggregated_output: self.aggregated_output.from_utf8_lossy(), + duration: self.duration, + timed_out: self.timed_out, + } + } +} + #[cfg_attr(not(target_os = "windows"), allow(unused_variables))] async fn exec( params: ExecParams, diff --git a/codex-rs/core/src/lib.rs b/codex-rs/core/src/lib.rs index 10a51b23ecd8..ef13966fb230 100644 --- a/codex-rs/core/src/lib.rs +++ b/codex-rs/core/src/lib.rs @@ -114,6 +114,7 @@ pub mod default_client; pub mod project_doc; mod rollout; pub(crate) mod safety; +mod sandboxed_fs; pub mod seatbelt; pub mod shell; pub mod shell_snapshot; diff --git a/codex-rs/core/src/sandboxed_fs.rs b/codex-rs/core/src/sandboxed_fs.rs new file mode 100644 index 000000000000..a7f51864d72a --- /dev/null +++ b/codex-rs/core/src/sandboxed_fs.rs @@ -0,0 +1,197 @@ +use crate::codex::Session; +use crate::codex::TurnContext; +use crate::error::CodexErr; +use crate::error::SandboxErr; +use crate::exec::ExecExpiration; +use crate::exec::ExecToolCallOutputBytes; +use crate::sandboxing::CommandSpec; +use crate::sandboxing::SandboxPermissions; +use crate::sandboxing::execute_env_bytes; +use crate::sandboxing::merge_permission_profiles; +use crate::tools::sandboxing::SandboxAttempt; +use crate::tools::sandboxing::SandboxablePreference; +use codex_fs_ops::CODEX_CORE_FS_OPS_ARG1; +use codex_fs_ops::FsError; +use codex_fs_ops::FsErrorKind; +use codex_protocol::models::PermissionProfile; +use std::collections::HashMap; +use std::path::Path; +use std::path::PathBuf; +use std::sync::Arc; +use std::time::Duration; + +const SANDBOXED_FS_TIMEOUT: Duration = Duration::from_secs(30); + +pub(crate) async fn read_file( + session: &Arc, + turn: &Arc, + path: &Path, +) -> Result, SandboxedFsError> { + let output = run_request(session, turn, path).await?; + Ok(output.stdout.text) +} + +async fn run_request( + session: &Arc, + turn: &Arc, + path: &Path, +) -> Result { + let exe = std::env::current_exe().map_err(|error| SandboxedFsError::ResolveExe { + message: error.to_string(), + })?; + let additional_permissions = effective_granted_permissions(session).await; + let sandbox_manager = crate::sandboxing::SandboxManager::new(); + let attempt = SandboxAttempt { + sandbox: sandbox_manager.select_initial( + &turn.file_system_sandbox_policy, + turn.network_sandbox_policy, + SandboxablePreference::Auto, + turn.windows_sandbox_level, + /*has_managed_network_requirements*/ false, + ), + policy: &turn.sandbox_policy, + file_system_policy: &turn.file_system_sandbox_policy, + network_policy: turn.network_sandbox_policy, + enforce_managed_network: false, + manager: &sandbox_manager, + sandbox_cwd: &turn.cwd, + codex_linux_sandbox_exe: turn.codex_linux_sandbox_exe.as_ref(), + use_legacy_landlock: turn.features.use_legacy_landlock(), + windows_sandbox_level: turn.windows_sandbox_level, + windows_sandbox_private_desktop: turn.config.permissions.windows_sandbox_private_desktop, + }; + let exec_request = attempt + .env_for( + CommandSpec { + program: exe.to_string_lossy().to_string(), + args: vec![ + CODEX_CORE_FS_OPS_ARG1.to_string(), + "read".to_string(), + path.to_string_lossy().to_string(), + ], + cwd: turn.cwd.clone(), + env: HashMap::new(), + expiration: ExecExpiration::Timeout(SANDBOXED_FS_TIMEOUT), + sandbox_permissions: SandboxPermissions::UseDefault, + additional_permissions, + justification: None, + }, + /*network*/ None, + ) + .map_err(|error| SandboxedFsError::ProcessFailed { + path: path.to_path_buf(), + exit_code: -1, + message: error.to_string(), + })?; + + let output = execute_env_bytes(exec_request, /*stdout_stream*/ None) + .await + .map_err(|error| map_exec_error(path, error))?; + if output.exit_code != 0 { + return Err(parse_helper_failure( + path, + output.exit_code, + &output.stderr.text, + &output.stdout.text, + )); + } + + Ok(output) +} + +async fn effective_granted_permissions(session: &Session) -> Option { + let granted_session_permissions = session.granted_session_permissions().await; + let granted_turn_permissions = session.granted_turn_permissions().await; + merge_permission_profiles( + granted_session_permissions.as_ref(), + granted_turn_permissions.as_ref(), + ) +} + +fn map_exec_error(path: &Path, error: CodexErr) -> SandboxedFsError { + match error { + CodexErr::Sandbox(SandboxErr::Timeout { .. }) => SandboxedFsError::TimedOut { + path: path.to_path_buf(), + }, + _ => SandboxedFsError::ProcessFailed { + path: path.to_path_buf(), + exit_code: -1, + message: error.to_string(), + }, + } +} + +fn parse_helper_failure( + path: &Path, + exit_code: i32, + stderr: &[u8], + stdout: &[u8], +) -> SandboxedFsError { + if let Ok(error) = serde_json::from_slice::(stderr) { + return SandboxedFsError::Operation { + path: path.to_path_buf(), + error, + }; + } + + let stderr = String::from_utf8_lossy(stderr); + let stdout = String::from_utf8_lossy(stdout); + let message = if !stderr.trim().is_empty() { + stderr.trim().to_string() + } else if !stdout.trim().is_empty() { + stdout.trim().to_string() + } else { + "no error details emitted".to_string() + }; + + SandboxedFsError::ProcessFailed { + path: path.to_path_buf(), + exit_code, + message, + } +} + +#[derive(Debug, thiserror::Error)] +pub(crate) enum SandboxedFsError { + #[error("failed to determine codex executable: {message}")] + ResolveExe { message: String }, + #[error("sandboxed fs helper timed out while accessing `{path}`")] + TimedOut { path: PathBuf }, + #[error("sandboxed fs helper exited with code {exit_code} while accessing `{path}`: {message}")] + ProcessFailed { + path: PathBuf, + exit_code: i32, + message: String, + }, + #[error("sandboxed fs helper could not access `{path}`: {error}")] + Operation { path: PathBuf, error: FsError }, +} + +impl SandboxedFsError { + pub(crate) fn operation_error_kind(&self) -> Option<&FsErrorKind> { + match self { + Self::Operation { error, .. } => Some(&error.kind), + _ => None, + } + } + + pub(crate) fn operation_error_message(&self) -> Option<&str> { + match self { + Self::Operation { error, .. } => Some(error.message.as_str()), + _ => None, + } + } + + #[allow(dead_code)] + pub(crate) fn to_io_error(&self) -> std::io::Error { + match self { + Self::Operation { error, .. } => error.to_io_error(), + Self::TimedOut { .. } => { + std::io::Error::new(std::io::ErrorKind::TimedOut, self.to_string()) + } + Self::ResolveExe { .. } | Self::ProcessFailed { .. } => { + std::io::Error::other(self.to_string()) + } + } + } +} diff --git a/codex-rs/core/src/sandboxing/mod.rs b/codex-rs/core/src/sandboxing/mod.rs index db88788814e1..baf18343e204 100644 --- a/codex-rs/core/src/sandboxing/mod.rs +++ b/codex-rs/core/src/sandboxing/mod.rs @@ -10,9 +10,11 @@ pub(crate) mod macos_permissions; use crate::exec::ExecExpiration; use crate::exec::ExecToolCallOutput; +use crate::exec::ExecToolCallOutputBytes; use crate::exec::SandboxType; use crate::exec::StdoutStream; use crate::exec::execute_exec_request; +use crate::exec::execute_exec_request_bytes; use crate::landlock::allow_network_for_proxy; use crate::landlock::create_linux_sandbox_command_args_for_policies; use crate::protocol::SandboxPolicy; @@ -738,6 +740,20 @@ pub async fn execute_env( .await } +pub(crate) async fn execute_env_bytes( + exec_request: ExecRequest, + stdout_stream: Option, +) -> crate::error::Result { + let effective_policy = exec_request.sandbox_policy.clone(); + execute_exec_request_bytes( + exec_request, + &effective_policy, + stdout_stream, + /*after_spawn*/ None, + ) + .await +} + pub async fn execute_exec_request_with_after_spawn( exec_request: ExecRequest, stdout_stream: Option, diff --git a/codex-rs/core/src/tools/handlers/view_image.rs b/codex-rs/core/src/tools/handlers/view_image.rs index 3957549d2d89..db090a2728dd 100644 --- a/codex-rs/core/src/tools/handlers/view_image.rs +++ b/codex-rs/core/src/tools/handlers/view_image.rs @@ -1,5 +1,4 @@ use async_trait::async_trait; -use codex_environment::ExecutorFileSystem; use codex_protocol::models::ContentItem; use codex_protocol::models::FunctionCallOutputContentItem; use codex_protocol::models::ImageDetail; @@ -13,6 +12,7 @@ use crate::function_tool::FunctionCallError; use crate::original_image_detail::can_request_original_image_detail; use crate::protocol::EventMsg; use crate::protocol::ViewImageToolCallEvent; +use crate::sandboxed_fs; use crate::tools::context::FunctionToolOutput; use crate::tools::context::ToolInvocation; use crate::tools::context::ToolPayload; @@ -92,36 +92,6 @@ impl ToolHandler for ViewImageHandler { AbsolutePathBuf::try_from(turn.resolve_path(Some(args.path))).map_err(|error| { FunctionCallError::RespondToModel(format!("unable to resolve image path: {error}")) })?; - - let metadata = turn - .environment - .get_filesystem() - .get_metadata(&abs_path) - .await - .map_err(|error| { - FunctionCallError::RespondToModel(format!( - "unable to locate image at `{}`: {error}", - abs_path.display() - )) - })?; - - if !metadata.is_file { - return Err(FunctionCallError::RespondToModel(format!( - "image path `{}` is not a file", - abs_path.display() - ))); - } - let file_bytes = turn - .environment - .get_filesystem() - .read_file(&abs_path) - .await - .map_err(|error| { - FunctionCallError::RespondToModel(format!( - "unable to read image at `{}`: {error}", - abs_path.display() - )) - })?; let event_path = abs_path.to_path_buf(); let can_request_original_detail = @@ -134,10 +104,18 @@ impl ToolHandler for ViewImageHandler { PromptImageMode::ResizeToFit }; let image_detail = use_original_detail.then_some(ImageDetail::Original); + let image_bytes = sandboxed_fs::read_file(&session, &turn, abs_path.as_path()) + .await + .map_err(|error| { + FunctionCallError::RespondToModel(render_view_image_read_error( + abs_path.as_path(), + &error, + )) + })?; let content = local_image_content_items_with_label_number( abs_path.as_path(), - file_bytes, + image_bytes, /*label_number*/ None, image_mode, ) @@ -165,3 +143,30 @@ impl ToolHandler for ViewImageHandler { Ok(FunctionToolOutput::from_content(content, Some(true))) } } + +fn render_view_image_read_error( + path: &std::path::Path, + error: &sandboxed_fs::SandboxedFsError, +) -> String { + let operation_message = error + .operation_error_message() + .map(str::to_owned) + .unwrap_or_else(|| error.to_string()); + match error.operation_error_kind() { + Some(codex_fs_ops::FsErrorKind::IsADirectory) => { + format!("image path `{}` is not a file", path.display()) + } + Some(codex_fs_ops::FsErrorKind::NotFound) => { + format!( + "unable to locate image at `{}`: {operation_message}", + path.display() + ) + } + Some(_) | None => { + format!( + "unable to read image at `{}`: {operation_message}", + path.display() + ) + } + } +} diff --git a/codex-rs/core/tests/suite/view_image.rs b/codex-rs/core/tests/suite/view_image.rs index 240620a2721c..aa9b651c2f1e 100644 --- a/codex-rs/core/tests/suite/view_image.rs +++ b/codex-rs/core/tests/suite/view_image.rs @@ -3,6 +3,7 @@ use base64::Engine; use base64::engine::general_purpose::STANDARD as BASE64_STANDARD; use codex_core::CodexAuth; +use codex_core::config::Constrained; use codex_core::features::Feature; use codex_protocol::config_types::ReasoningSummary; use codex_protocol::openai_models::ConfigShellToolType; @@ -13,9 +14,15 @@ use codex_protocol::openai_models::ModelsResponse; use codex_protocol::openai_models::ReasoningEffort; use codex_protocol::openai_models::ReasoningEffortPreset; use codex_protocol::openai_models::TruncationPolicyConfig; +use codex_protocol::permissions::FileSystemAccessMode; +use codex_protocol::permissions::FileSystemPath; +use codex_protocol::permissions::FileSystemSandboxEntry; +use codex_protocol::permissions::FileSystemSandboxPolicy; +use codex_protocol::permissions::FileSystemSpecialPath; use codex_protocol::protocol::AskForApproval; use codex_protocol::protocol::EventMsg; use codex_protocol::protocol::Op; +use codex_protocol::protocol::ReadOnlyAccess; use codex_protocol::protocol::SandboxPolicy; use codex_protocol::user_input::UserInput; use core_test_support::responses; @@ -1244,6 +1251,109 @@ async fn view_image_tool_errors_when_file_missing() -> anyhow::Result<()> { Ok(()) } +#[tokio::test(flavor = "multi_thread", worker_threads = 2)] +async fn view_image_tool_respects_filesystem_sandbox() -> anyhow::Result<()> { + skip_if_no_network!(Ok(())); + + let server = start_mock_server().await; + let sandbox_policy_for_config = SandboxPolicy::ReadOnly { + access: ReadOnlyAccess::Restricted { + include_platform_defaults: true, + readable_roots: Vec::new(), + }, + network_access: false, + }; + let mut builder = test_codex().with_config({ + let sandbox_policy_for_config = sandbox_policy_for_config.clone(); + move |config| { + config.permissions.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config); + config.permissions.file_system_sandbox_policy = + FileSystemSandboxPolicy::restricted(vec![ + FileSystemSandboxEntry { + path: FileSystemPath::Special { + value: FileSystemSpecialPath::Minimal, + }, + access: FileSystemAccessMode::Read, + }, + FileSystemSandboxEntry { + path: FileSystemPath::Special { + value: FileSystemSpecialPath::CurrentWorkingDirectory, + }, + access: FileSystemAccessMode::Read, + }, + ]); + } + }); + let TestCodex { + codex, + config, + cwd, + session_configured, + .. + } = builder.build(&server).await?; + + let outside_dir = tempfile::tempdir()?; + let abs_path = outside_dir.path().join("blocked.png"); + let image = ImageBuffer::from_pixel(256, 128, Rgba([10u8, 20, 30, 255])); + image.save(&abs_path)?; + + let call_id = "view-image-sandbox-denied"; + let arguments = serde_json::json!({ "path": abs_path }).to_string(); + + let first_response = sse(vec![ + ev_response_created("resp-1"), + ev_function_call(call_id, "view_image", &arguments), + ev_completed("resp-1"), + ]); + responses::mount_sse_once(&server, first_response).await; + + let second_response = sse(vec![ + ev_assistant_message("msg-1", "done"), + ev_completed("resp-2"), + ]); + let mock = responses::mount_sse_once(&server, second_response).await; + + let session_model = session_configured.model.clone(); + + codex + .submit(Op::UserTurn { + items: vec![UserInput::Text { + text: "please attach the outside image".into(), + text_elements: Vec::new(), + }], + final_output_json_schema: None, + cwd: cwd.path().to_path_buf(), + approval_policy: AskForApproval::Never, + sandbox_policy: config.permissions.sandbox_policy.get().clone(), + model: session_model, + effort: None, + summary: None, + service_tier: None, + collaboration_mode: None, + personality: None, + }) + .await?; + + wait_for_event(&codex, |event| matches!(event, EventMsg::TurnComplete(_))).await; + + let request = mock.single_request(); + assert!( + request.inputs_of_type("input_image").is_empty(), + "sandbox-denied image should not produce an input_image message" + ); + let output_text = request + .function_call_output_content_and_success(call_id) + .and_then(|(content, _)| content) + .expect("output text present"); + let expected_prefix = format!("unable to read image at `{}`:", abs_path.display()); + assert!( + output_text.starts_with(&expected_prefix), + "expected sandbox denial prefix `{expected_prefix}` but got `{output_text}`" + ); + + Ok(()) +} + #[tokio::test(flavor = "multi_thread", worker_threads = 2)] async fn view_image_tool_returns_unsupported_message_for_text_only_model() -> anyhow::Result<()> { skip_if_no_network!(Ok(())); diff --git a/codex-rs/fs-ops/BUILD.bazel b/codex-rs/fs-ops/BUILD.bazel new file mode 100644 index 000000000000..87fe4d551711 --- /dev/null +++ b/codex-rs/fs-ops/BUILD.bazel @@ -0,0 +1,6 @@ +load("//:defs.bzl", "codex_rust_crate") + +codex_rust_crate( + name = "fs-ops", + crate_name = "codex_fs_ops", +) diff --git a/codex-rs/fs-ops/Cargo.toml b/codex-rs/fs-ops/Cargo.toml new file mode 100644 index 000000000000..2b7495f0d27b --- /dev/null +++ b/codex-rs/fs-ops/Cargo.toml @@ -0,0 +1,22 @@ +[package] +name = "codex-fs-ops" +version.workspace = true +edition.workspace = true +license.workspace = true + +[lib] +name = "codex_fs_ops" +path = "src/lib.rs" + +[lints] +workspace = true + +[dependencies] +anyhow = { workspace = true } +base64 = { workspace = true } +serde = { workspace = true, features = ["derive"] } +serde_json = { workspace = true } + +[dev-dependencies] +pretty_assertions = { workspace = true } +tempfile = { workspace = true } diff --git a/codex-rs/fs-ops/src/command.rs b/codex-rs/fs-ops/src/command.rs new file mode 100644 index 000000000000..1c04c5fa1dfa --- /dev/null +++ b/codex-rs/fs-ops/src/command.rs @@ -0,0 +1,38 @@ +use std::ffi::OsString; +use std::path::PathBuf; + +#[derive(Debug, Clone, PartialEq, Eq)] +pub enum FsCommand { + ReadFile { path: PathBuf }, +} + +pub fn parse_command_from_args( + mut args: impl Iterator, +) -> Result { + let Some(operation) = args.next() else { + return Err("missing operation".to_string()); + }; + let Some(operation) = operation.to_str() else { + return Err("operation must be valid UTF-8".to_string()); + }; + let Some(path) = args.next() else { + return Err(format!("missing path for operation `{operation}`")); + }; + if args.next().is_some() { + return Err(format!( + "unexpected extra arguments for operation `{operation}`" + )); + } + + let path = PathBuf::from(path); + match operation { + "read" => Ok(FsCommand::ReadFile { path }), + _ => Err(format!( + "unsupported filesystem operation `{operation}`; expected `read`" + )), + } +} + +#[cfg(test)] +#[path = "command_tests.rs"] +mod tests; diff --git a/codex-rs/fs-ops/src/command_tests.rs b/codex-rs/fs-ops/src/command_tests.rs new file mode 100644 index 000000000000..c68d5a4a18ec --- /dev/null +++ b/codex-rs/fs-ops/src/command_tests.rs @@ -0,0 +1,16 @@ +use super::FsCommand; +use super::parse_command_from_args; +use pretty_assertions::assert_eq; + +#[test] +fn parse_read_command() { + let command = parse_command_from_args(["read", "/tmp/example.png"].into_iter().map(Into::into)) + .expect("command should parse"); + + assert_eq!( + command, + FsCommand::ReadFile { + path: "/tmp/example.png".into(), + } + ); +} diff --git a/codex-rs/fs-ops/src/constants.rs b/codex-rs/fs-ops/src/constants.rs new file mode 100644 index 000000000000..ae71a287e1b3 --- /dev/null +++ b/codex-rs/fs-ops/src/constants.rs @@ -0,0 +1,3 @@ +/// Special argv[1] flag used when the Codex executable self-invokes to run the +/// internal sandbox-backed filesystem helper path. +pub const CODEX_CORE_FS_OPS_ARG1: &str = "--codex-run-as-fs-ops"; diff --git a/codex-rs/fs-ops/src/error.rs b/codex-rs/fs-ops/src/error.rs new file mode 100644 index 000000000000..a914056823ec --- /dev/null +++ b/codex-rs/fs-ops/src/error.rs @@ -0,0 +1,70 @@ +use serde::Deserialize; +use serde::Serialize; +use std::io::ErrorKind; + +#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)] +#[serde(rename_all = "snake_case")] +pub enum FsErrorKind { + NotFound, + PermissionDenied, + IsADirectory, + InvalidData, + Other, +} + +impl From for FsErrorKind { + fn from(value: ErrorKind) -> Self { + match value { + ErrorKind::NotFound => Self::NotFound, + ErrorKind::PermissionDenied => Self::PermissionDenied, + ErrorKind::IsADirectory => Self::IsADirectory, + ErrorKind::InvalidData => Self::InvalidData, + _ => Self::Other, + } + } +} + +impl FsErrorKind { + pub fn to_io_error_kind(&self) -> ErrorKind { + match self { + Self::NotFound => ErrorKind::NotFound, + Self::PermissionDenied => ErrorKind::PermissionDenied, + Self::IsADirectory => ErrorKind::IsADirectory, + Self::InvalidData => ErrorKind::InvalidData, + Self::Other => ErrorKind::Other, + } + } +} + +#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)] +pub struct FsError { + pub kind: FsErrorKind, + pub message: String, + pub raw_os_error: Option, +} + +impl std::fmt::Display for FsError { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.write_str(&self.message) + } +} + +impl FsError { + pub fn to_io_error(&self) -> std::io::Error { + if let Some(raw_os_error) = self.raw_os_error { + std::io::Error::from_raw_os_error(raw_os_error) + } else { + std::io::Error::new(self.kind.to_io_error_kind(), self.message.clone()) + } + } +} + +impl From for FsError { + fn from(error: std::io::Error) -> Self { + Self { + kind: error.kind().into(), + message: error.to_string(), + raw_os_error: error.raw_os_error(), + } + } +} diff --git a/codex-rs/fs-ops/src/lib.rs b/codex-rs/fs-ops/src/lib.rs new file mode 100644 index 000000000000..a3be23264838 --- /dev/null +++ b/codex-rs/fs-ops/src/lib.rs @@ -0,0 +1,13 @@ +mod command; +mod constants; +mod error; +mod runner; + +pub use command::FsCommand; +pub use command::parse_command_from_args; +pub use constants::CODEX_CORE_FS_OPS_ARG1; +pub use error::FsError; +pub use error::FsErrorKind; +pub use runner::execute; +pub use runner::run_from_args; +pub use runner::write_error; diff --git a/codex-rs/fs-ops/src/runner.rs b/codex-rs/fs-ops/src/runner.rs new file mode 100644 index 000000000000..bafdabba5516 --- /dev/null +++ b/codex-rs/fs-ops/src/runner.rs @@ -0,0 +1,55 @@ +use crate::FsCommand; +use crate::FsError; +use crate::parse_command_from_args; +use anyhow::Context; +use anyhow::Result; +use std::ffi::OsString; +use std::io::Read; +use std::io::Write; + +pub fn run_from_args( + args: impl Iterator, + stdin: &mut impl Read, + stdout: &mut impl Write, + stderr: &mut impl Write, +) -> Result<()> { + let command = match parse_command_from_args(args) { + Ok(command) => command, + Err(error) => { + writeln!(stderr, "{error}").context("failed to write fs helper usage error")?; + anyhow::bail!("{error}"); + } + }; + + if let Err(error) = execute(command, stdin, stdout) { + write_error(stderr, &error)?; + anyhow::bail!("{error}"); + } + + Ok(()) +} + +pub fn execute( + command: FsCommand, + _stdin: &mut impl Read, + stdout: &mut impl Write, +) -> Result<(), FsError> { + match command { + FsCommand::ReadFile { path } => { + let mut file = std::fs::File::open(path).map_err(FsError::from)?; + std::io::copy(&mut file, stdout) + .map(|_| ()) + .map_err(FsError::from) + } + } +} + +pub fn write_error(stderr: &mut impl Write, error: &FsError) -> Result<()> { + serde_json::to_writer(&mut *stderr, error).context("failed to serialize fs error")?; + writeln!(stderr).context("failed to terminate fs error with newline")?; + Ok(()) +} + +#[cfg(test)] +#[path = "runner_tests.rs"] +mod tests; diff --git a/codex-rs/fs-ops/src/runner_tests.rs b/codex-rs/fs-ops/src/runner_tests.rs new file mode 100644 index 000000000000..ca7396b5d135 --- /dev/null +++ b/codex-rs/fs-ops/src/runner_tests.rs @@ -0,0 +1,76 @@ +use super::execute; +use crate::FsCommand; +use crate::FsErrorKind; +use crate::run_from_args; +use pretty_assertions::assert_eq; +use tempfile::tempdir; + +#[test] +fn run_from_args_streams_file_bytes_to_stdout() { + let tempdir = tempdir().expect("tempdir"); + let path = tempdir.path().join("image.bin"); + let expected = b"hello\x00world".to_vec(); + std::fs::write(&path, &expected).expect("write test file"); + + let mut stdout = Vec::new(); + let mut stderr = Vec::new(); + let mut stdin = std::io::empty(); + run_from_args( + ["read", path.to_str().expect("utf-8 test path")] + .into_iter() + .map(Into::into), + &mut stdin, + &mut stdout, + &mut stderr, + ) + .expect("read should succeed"); + + assert_eq!(stdout, expected); + assert_eq!(stderr, Vec::::new()); +} + +#[test] +fn read_reports_directory_error() { + let tempdir = tempdir().expect("tempdir"); + let mut stdout = Vec::new(); + let mut stdin = std::io::empty(); + + let error = execute( + FsCommand::ReadFile { + path: tempdir.path().to_path_buf(), + }, + &mut stdin, + &mut stdout, + ) + .expect_err("reading a directory should fail"); + + #[cfg(target_os = "windows")] + assert_eq!(error.kind, FsErrorKind::PermissionDenied); + #[cfg(not(target_os = "windows"))] + assert_eq!(error.kind, FsErrorKind::IsADirectory); +} + +#[test] +fn run_from_args_serializes_errors_to_stderr() { + let tempdir = tempdir().expect("tempdir"); + let missing = tempdir.path().join("missing.txt"); + let mut stdout = Vec::new(); + let mut stderr = Vec::new(); + let mut stdin = std::io::empty(); + + let result = run_from_args( + ["read", missing.to_str().expect("utf-8 test path")] + .into_iter() + .map(Into::into), + &mut stdin, + &mut stdout, + &mut stderr, + ); + + assert!(result.is_err(), "missing file should fail"); + assert_eq!(stdout, Vec::::new()); + + let error: crate::FsError = serde_json::from_slice(&stderr).expect("structured fs error"); + assert_eq!(error.kind, FsErrorKind::NotFound); + assert!(error.raw_os_error.is_some()); +} diff --git a/codex-rs/utils/image/src/lib.rs b/codex-rs/utils/image/src/lib.rs index 8fd0724263d8..e7ae1cff1e6b 100644 --- a/codex-rs/utils/image/src/lib.rs +++ b/codex-rs/utils/image/src/lib.rs @@ -59,7 +59,6 @@ pub fn load_for_prompt_bytes( mode: PromptImageMode, ) -> Result { let path_buf = path.to_path_buf(); - let key = ImageCacheKey { digest: sha1_digest(&file_bytes), mode,