Skip to content

feat(config): add managed deny-read requirements #15978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
viyatb-oai wants to merge 3 commits into from
Closed

feat(config): add managed deny-read requirements #15978

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
572673b
feat(config): add managed deny-read requirements
viyatb-oai Mar 10, 2026
edc4696
fix(core): persist deny-read paths in turn context
viyatb-oai Mar 27, 2026
c97d7f6
fix(state): add deny_read_paths to rollout fixtures
viyatb-oai Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions codex-rs/app-server/src/config_api.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,7 @@ mod tests {
}),
allow_local_binding: Some(true),
}),
permissions: None,
};

let mapped = map_requirements_toml_to_api(requirements);
Expand Down Expand Up @@ -716,6 +717,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
};

let mapped = map_requirements_toml_to_api(requirements);
Expand Down
15 changes: 15 additions & 0 deletions codex-rs/cloud-requirements/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1149,6 +1149,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
}
Expand Down Expand Up @@ -1177,6 +1178,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
}
Expand Down Expand Up @@ -1222,6 +1224,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
})
);
}
Expand Down Expand Up @@ -1303,6 +1306,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 2);
Expand Down Expand Up @@ -1374,6 +1378,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 2);
Expand Down Expand Up @@ -1443,6 +1448,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);

Expand Down Expand Up @@ -1606,6 +1612,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 0);
Expand Down Expand Up @@ -1636,6 +1643,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);

Expand Down Expand Up @@ -1686,6 +1694,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
Expand Down Expand Up @@ -1735,6 +1744,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
Expand Down Expand Up @@ -1788,6 +1798,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
Expand Down Expand Up @@ -1842,6 +1853,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);
assert_eq!(fetcher.request_count.load(Ordering::SeqCst), 1);
Expand Down Expand Up @@ -1896,6 +1908,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
})
);
let payload_bytes = cache_payload_bytes(&cache_file.signed_payload).expect("payload bytes");
Expand Down Expand Up @@ -1983,6 +1996,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
}))
);

Expand All @@ -2009,6 +2023,7 @@ enabled = false
rules: None,
enforce_residency: None,
network: None,
permissions: None,
})
);
}
Expand Down
85 changes: 85 additions & 0 deletions codex-rs/config/src/config_requirements.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ pub struct ConfigRequirements {
pub enforce_residency: ConstrainedWithSource<Option<ResidencyRequirement>>,
/// Managed network constraints derived from requirements.
pub network: Option<Sourced<NetworkConstraints>>,
/// Managed filesystem constraints derived from requirements.
pub filesystem: Option<Sourced<FilesystemConstraints>>,
}

impl Default for ConfigRequirements {
Expand All @@ -111,6 +113,7 @@ impl Default for ConfigRequirements {
/*source*/ None,
),
network: None,
filesystem: None,
}
}
}
Expand Down Expand Up @@ -396,6 +399,31 @@ impl From<NetworkRequirementsToml> for NetworkConstraints {
}
}

#[derive(Deserialize, Debug, Clone, Default, PartialEq, Eq)]
pub struct FilesystemRequirementsToml {
pub deny_read: Option<Vec<AbsolutePathBuf>>,
}

#[derive(Deserialize, Debug, Clone, Default, PartialEq, Eq)]
pub struct PermissionsRequirementsToml {
pub filesystem: Option<FilesystemRequirementsToml>,
}

#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
pub struct FilesystemConstraints {
pub deny_read: Vec<AbsolutePathBuf>,
}

impl From<PermissionsRequirementsToml> for FilesystemConstraints {
fn from(value: PermissionsRequirementsToml) -> Self {
let deny_read = value
.filesystem
.and_then(|filesystem| filesystem.deny_read)
.unwrap_or_default();
Self { deny_read }
}
}

#[derive(Deserialize, Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
#[serde(rename_all = "lowercase")]
pub enum WebSearchModeRequirement {
Expand Down Expand Up @@ -497,6 +525,7 @@ pub struct ConfigRequirementsToml {
pub enforce_residency: Option<ResidencyRequirement>,
#[serde(rename = "experimental_network")]
pub network: Option<NetworkRequirementsToml>,
pub permissions: Option<PermissionsRequirementsToml>,
pub guardian_developer_instructions: Option<String>,
}

Expand Down Expand Up @@ -533,6 +562,7 @@ pub struct ConfigRequirementsWithSources {
pub rules: Option<Sourced<RequirementsExecPolicyToml>>,
pub enforce_residency: Option<Sourced<ResidencyRequirement>>,
pub network: Option<Sourced<NetworkRequirementsToml>>,
pub permissions: Option<Sourced<PermissionsRequirementsToml>>,
pub guardian_developer_instructions: Option<Sourced<String>>,
}

Expand Down Expand Up @@ -564,6 +594,7 @@ impl ConfigRequirementsWithSources {
rules: _,
enforce_residency: _,
network: _,
permissions: _,
guardian_developer_instructions: _,
} = &other;

Expand All @@ -588,6 +619,7 @@ impl ConfigRequirementsWithSources {
rules,
enforce_residency,
network,
permissions,
guardian_developer_instructions,
}
);
Expand All @@ -612,6 +644,7 @@ impl ConfigRequirementsWithSources {
rules,
enforce_residency,
network,
permissions,
guardian_developer_instructions,
} = self;
ConfigRequirementsToml {
Expand All @@ -624,6 +657,7 @@ impl ConfigRequirementsWithSources {
rules: rules.map(|sourced| sourced.value),
enforce_residency: enforce_residency.map(|sourced| sourced.value),
network: network.map(|sourced| sourced.value),
permissions: permissions.map(|sourced| sourced.value),
guardian_developer_instructions: guardian_developer_instructions
.map(|sourced| sourced.value),
}
Expand Down Expand Up @@ -680,6 +714,7 @@ impl ConfigRequirementsToml {
&& self.rules.is_none()
&& self.enforce_residency.is_none()
&& self.network.is_none()
&& self.permissions.is_none()
&& self
.guardian_developer_instructions
.as_deref()
Expand All @@ -701,6 +736,7 @@ impl TryFrom<ConfigRequirementsWithSources> for ConfigRequirements {
rules,
enforce_residency,
network,
permissions,
guardian_developer_instructions: _guardian_developer_instructions,
} = toml;

Expand Down Expand Up @@ -876,6 +912,10 @@ impl TryFrom<ConfigRequirementsWithSources> for ConfigRequirements {
let Sourced { value, source } = sourced_network;
Sourced::new(NetworkConstraints::from(value), source)
});
let filesystem = permissions.map(|sourced_permissions| {
let Sourced { value, source } = sourced_permissions;
Sourced::new(FilesystemConstraints::from(value), source)
});
Ok(ConfigRequirements {
approval_policy,
sandbox_policy,
Expand All @@ -885,6 +925,7 @@ impl TryFrom<ConfigRequirementsWithSources> for ConfigRequirements {
exec_policy,
enforce_residency,
network,
filesystem,
})
}
}
Expand Down Expand Up @@ -922,6 +963,7 @@ mod tests {
rules,
enforce_residency,
network,
permissions,
guardian_developer_instructions,
} = toml;
ConfigRequirementsWithSources {
Expand All @@ -939,6 +981,7 @@ mod tests {
enforce_residency: enforce_residency
.map(|value| Sourced::new(value, RequirementSource::Unknown)),
network: network.map(|value| Sourced::new(value, RequirementSource::Unknown)),
permissions: permissions.map(|value| Sourced::new(value, RequirementSource::Unknown)),
guardian_developer_instructions: guardian_developer_instructions
.map(|value| Sourced::new(value, RequirementSource::Unknown)),
}
Expand Down Expand Up @@ -978,6 +1021,7 @@ mod tests {
rules: None,
enforce_residency: Some(enforce_residency),
network: None,
permissions: None,
guardian_developer_instructions: Some(guardian_developer_instructions.clone()),
};

Expand All @@ -1004,6 +1048,7 @@ mod tests {
rules: None,
enforce_residency: Some(Sourced::new(enforce_residency, enforce_source)),
network: None,
permissions: None,
guardian_developer_instructions: Some(Sourced::new(
guardian_developer_instructions,
source,
Expand Down Expand Up @@ -1042,6 +1087,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
guardian_developer_instructions: None,
}
);
Expand Down Expand Up @@ -1085,6 +1131,7 @@ mod tests {
rules: None,
enforce_residency: None,
network: None,
permissions: None,
guardian_developer_instructions: None,
}
);
Expand Down Expand Up @@ -1157,6 +1204,44 @@ guardian_developer_instructions = """
Ok(())
}

#[test]
fn deserialize_filesystem_deny_read_requirements() -> Result<()> {
let deny_read_0 = if cfg!(windows) {
r"C:\Users\viyatb\.gitconfig"
} else {
"/home/viyatb/.gitconfig"
};
let deny_read_1 = if cfg!(windows) {
r"C:\Users\viyatb\.ssh"
} else {
"/home/viyatb/.ssh"
};
let toml_str = format!(
r#"
[permissions.filesystem]
deny_read = [{deny_read_0:?}, {deny_read_1:?}]
"#
);

let config: ConfigRequirementsToml = from_str(&toml_str)?;
let requirements: ConfigRequirements = with_unknown_source(config).try_into()?;

assert_eq!(
requirements.filesystem,
Some(Sourced::new(
FilesystemConstraints {
deny_read: vec![
AbsolutePathBuf::from_absolute_path(deny_read_0)?,
AbsolutePathBuf::from_absolute_path(deny_read_1)?,
],
},
RequirementSource::Unknown,
))
);

Ok(())
}

#[test]
fn deserialize_apps_requirements() -> Result<()> {
let toml_str = r#"
Expand Down
Loading
Loading