fix(permissions): fix symlinked writable roots in sandbox permissions

[viyatb-oai]

Summary

• preserve logical symlink paths during permission normalization and config cwd handling
• bind real targets for symlinked readable/writable roots in bwrap and remap carveouts and unreadable roots there
• add regressions for symlinked carveouts and nested symlink escape masking

Root cause

Permission normalization canonicalized symlinked writable roots and cwd to their real targets too early. That drifted policy checks away from the logical paths the sandboxed process can actually address, while bwrap still needed the real targets for mounts. The mismatch caused shell and apply_patch failures on symlinked writable roots.

Impact

Fixes #15781.

Also fixes #17079:

• Linux bwrap fails when protected symlinked carveout points outside writable roots (No such file or directory) #17079 is the protected symlinked carveout side: bwrap now binds the real symlinked writable-root target and remaps carveouts before masking.

Related to #15157:

• Symlinks are not resolved for permission checks #15157 is the broader permission-check side of this path-identity problem. This PR addresses the shared logical-vs-canonical normalization issue, but the reported Darwin prompt behavior should be validated separately before auto-closing it.

This should also fix #14672, #14694, #14715, and #15725:

• bwrap sandbox bind fails with symlinked TMPDIR #14672, apply_patch fails when writable roots are symlinked (bwrap bind error) #14694, and apply_patch still fails with symlinked ~/.codex (v0.115.0-alpha.23) #14715 are the same Linux symlinked-writable-root/bwrap family as shell write denial vs apply_patch success on symlinked paths #15781.
• Linux sandbox fails with "bwrap: Can't create file ... Is a directory" when protected workspace path is a symlinked directory #15725 is the protected symlinked workspace path variant; the PR preserves the protected logical path in policy space while bwrap applies read-only or unreadable treatment to the resolved target so file-vs-directory bind mismatches do not abort sandbox setup.

Notes

• Added Linux-only regressions for symlinked writable ancestors and protected symlinked directory targets, including nested symlink escape masking without rebinding the escape target writable.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 532001fabb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[viyatb-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5072f6d2fa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[etraut-openai]

Whew, keeping track of when paths are already canonicalized and when they are not is difficult. We should think about whether there's a way to make this clearer through variable names or even types, but that's beyond the scope of this PR. I'm going to have to place some trust in codex's reviews because I can't say with confidence that there's no bug here. I did spend quite a bit of time reviewing, and I didn't find any issues. This will be a nice fix to get in place!