mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
85fd52f7e4
## Why `codex sandbox` can start a network proxy from a configured permission profile. Previously, sandbox-level containment was tied to managed network requirements rather than whether a proxy was actually active. This meant config-driven proxy policies were not consistently enforced as the sandbox's only network path. ## What changed - Enable proxy-only network containment whenever `codex sandbox` starts a network proxy. - Apply the same active-proxy check to the macOS and Linux sandbox paths. - Add a Linux regression test that verifies a sandboxed command cannot establish a direct connection while the configured proxy is active. ## Test plan - `just test -p codex-cli debug_sandbox::tests` - `sandbox_with_network_proxy_blocks_direct_loopback_access` runs on Linux to cover the config-driven proxy path end to end.
15 lines
334 B
Python
15 lines
334 B
Python
load("//:defs.bzl", "MACOS_WEBRTC_RUSTC_LINK_FLAGS", "codex_rust_crate", "multiplatform_binaries")
|
|
|
|
codex_rust_crate(
|
|
name = "cli",
|
|
crate_name = "codex_cli",
|
|
extra_binaries = [
|
|
"//codex-rs/bwrap:bwrap",
|
|
],
|
|
rustc_flags_extra = MACOS_WEBRTC_RUSTC_LINK_FLAGS,
|
|
)
|
|
|
|
multiplatform_binaries(
|
|
name = "codex",
|
|
)
|