mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
85fd52f7e4
## Why `codex sandbox` can start a network proxy from a configured permission profile. Previously, sandbox-level containment was tied to managed network requirements rather than whether a proxy was actually active. This meant config-driven proxy policies were not consistently enforced as the sandbox's only network path. ## What changed - Enable proxy-only network containment whenever `codex sandbox` starts a network proxy. - Apply the same active-proxy check to the macOS and Linux sandbox paths. - Add a Linux regression test that verifies a sandboxed command cannot establish a direct connection while the configured proxy is active. ## Test plan - `just test -p codex-cli debug_sandbox::tests` - `sandbox_with_network_proxy_blocks_direct_loopback_access` runs on Linux to cover the config-driven proxy path end to end.
71 lines
1.7 KiB
Rust
71 lines
1.7 KiB
Rust
#![cfg(target_os = "linux")]
|
|
|
|
use std::net::TcpListener;
|
|
|
|
use anyhow::Result;
|
|
use tempfile::TempDir;
|
|
|
|
const BWRAP_UNAVAILABLE_ERR: &str = "bubblewrap is unavailable";
|
|
|
|
#[test]
|
|
fn sandbox_with_network_proxy_blocks_direct_loopback_access() -> Result<()> {
|
|
let codex_home = TempDir::new()?;
|
|
let listener = TcpListener::bind("127.0.0.2:0")?;
|
|
let port = listener.local_addr()?.port();
|
|
std::fs::write(
|
|
codex_home.path().join("config.toml"),
|
|
r#"
|
|
default_permissions = "network-test"
|
|
|
|
[features]
|
|
network_proxy = true
|
|
use_legacy_landlock = true
|
|
|
|
[permissions.network-test]
|
|
extends = ":workspace"
|
|
|
|
[permissions.network-test.network]
|
|
enabled = true
|
|
mode = "full"
|
|
"#,
|
|
)?;
|
|
|
|
let url = format!("http://127.0.0.2:{port}/");
|
|
let output = std::process::Command::new(codex_utils_cargo_bin::cargo_bin("codex")?)
|
|
.env("CODEX_HOME", codex_home.path())
|
|
.args([
|
|
"sandbox",
|
|
"--permissions-profile",
|
|
"network-test",
|
|
"--",
|
|
"curl",
|
|
"--noproxy",
|
|
"*",
|
|
"--silent",
|
|
"--show-error",
|
|
"--connect-timeout",
|
|
"1",
|
|
"--max-time",
|
|
"2",
|
|
url.as_str(),
|
|
])
|
|
.output()?;
|
|
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
if stderr.contains(BWRAP_UNAVAILABLE_ERR) {
|
|
eprintln!("skipping network proxy sandbox test: bubblewrap is unavailable");
|
|
return Ok(());
|
|
}
|
|
|
|
assert_eq!(
|
|
output.status.code(),
|
|
Some(7),
|
|
"expected direct loopback access to be blocked; status={:?}; stdout={}; stderr={}",
|
|
output.status.code(),
|
|
String::from_utf8_lossy(&output.stdout),
|
|
stderr,
|
|
);
|
|
|
|
Ok(())
|
|
}
|