Enforce workspace metadata protections in Seatbelt

Author: evawong-oai

codex-rs/sandboxing/src/seatbelt.rs

@@ -4,7 +4,9 @@ use codex_network_proxy::has_proxy_url_env_vars;
 use codex_network_proxy::proxy_url_env_value;
 use codex_protocol::permissions::FileSystemSandboxPolicy;
 use codex_protocol::permissions::NetworkSandboxPolicy;
+use codex_protocol::permissions::PROTECTED_METADATA_PATH_NAMES;
 use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::protocol::WritableRoot;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use std::collections::BTreeMap;
 use std::collections::BTreeSet;
@@ -328,6 +330,7 @@ fn root_absolute_path() -> AbsolutePathBuf {
 struct SeatbeltAccessRoot {
     root: AbsolutePathBuf,
     excluded_subpaths: Vec<AbsolutePathBuf>,
+    protected_metadata_names: Vec<String>,
 }
 
 fn build_seatbelt_access_policy(
@@ -342,9 +345,11 @@ fn build_seatbelt_access_policy(
         let root =
             normalize_path_for_sandbox(access_root.root.as_path()).unwrap_or(access_root.root);
         let root_param = format!("{param_prefix}_{index}");
-        params.push((root_param.clone(), root.into_path_buf()));
+        params.push((root_param.clone(), root.clone().into_path_buf()));
 
-        if access_root.excluded_subpaths.is_empty() {
+        if access_root.excluded_subpaths.is_empty()
+            && access_root.protected_metadata_names.is_empty()
+        {
             policy_components.push(format!("(subpath (param \"{root_param}\"))"));
             continue;
         }
@@ -367,6 +372,11 @@ fn build_seatbelt_access_policy(
                 "(require-not (subpath (param \"{excluded_param}\")))"
             ));
         }
+        for metadata_name in access_root.protected_metadata_names {
+            let regex =
+                seatbelt_protected_metadata_name_regex(&root, &metadata_name).replace('"', "\\\"");
+            require_parts.push(format!(r#"(require-not (regex #"{regex}"))"#));
+        }
         policy_components.push(format!("(require-all {} )", require_parts.join(" ")));
     }
 
@@ -380,6 +390,38 @@ fn build_seatbelt_access_policy(
     }
 }
 
+fn seatbelt_protected_metadata_name_regex(root: &AbsolutePathBuf, name: &str) -> String {
+    let mut root = root.to_string_lossy().to_string();
+    while root.len() > 1 && root.ends_with('/') {
+        root.pop();
+    }
+    let root = regex_lite::escape(&root);
+    let name = regex_lite::escape(name);
+    if root == "/" {
+        format!(r#"^/{name}(/.*)?$"#)
+    } else {
+        format!(r#"^{root}/{name}(/.*)?$"#)
+    }
+}
+
+fn protected_metadata_names_for_writable_root(
+    file_system_sandbox_policy: &FileSystemSandboxPolicy,
+    writable_root: &WritableRoot,
+    cwd: &Path,
+) -> Vec<String> {
+    let mut names = writable_root.protected_metadata_names.clone();
+    for name in PROTECTED_METADATA_PATH_NAMES {
+        if names.iter().any(|existing| existing == name) {
+            continue;
+        }
+        let path = writable_root.root.join(*name);
+        if !file_system_sandbox_policy.can_write_path_with_cwd(path.as_path(), cwd) {
+            names.push((*name).to_string());
+        }
+    }
+    names
+}
+
 fn build_seatbelt_unreadable_glob_policy(
     file_system_sandbox_policy: &FileSystemSandboxPolicy,
     cwd: &Path,
@@ -586,6 +628,7 @@ pub fn create_seatbelt_command_args(args: CreateSeatbeltCommandArgsParams<'_>) -
                     vec![SeatbeltAccessRoot {
                         root: root_absolute_path(),
                         excluded_subpaths: unreadable_roots.clone(),
+                        protected_metadata_names: Vec::new(),
                     }],
                 )
             }
@@ -597,6 +640,11 @@ pub fn create_seatbelt_command_args(args: CreateSeatbeltCommandArgsParams<'_>) -
                     .get_writable_roots_with_cwd(sandbox_policy_cwd)
                     .into_iter()
                     .map(|root| SeatbeltAccessRoot {
+                        protected_metadata_names: protected_metadata_names_for_writable_root(
+                            file_system_sandbox_policy,
+                            &root,
+                            sandbox_policy_cwd,
+                        ),
                         root: root.root,
                         excluded_subpaths: root.read_only_subpaths,
                     })
@@ -618,6 +666,7 @@ pub fn create_seatbelt_command_args(args: CreateSeatbeltCommandArgsParams<'_>) -
                     vec![SeatbeltAccessRoot {
                         root: root_absolute_path(),
                         excluded_subpaths: unreadable_roots,
+                        protected_metadata_names: Vec::new(),
                     }],
                 );
                 (
@@ -638,6 +687,7 @@ pub fn create_seatbelt_command_args(args: CreateSeatbeltCommandArgsParams<'_>) -
                             .filter(|path| path.as_path().starts_with(root.as_path()))
                             .cloned()
                             .collect(),
+                        protected_metadata_names: Vec::new(),
                         root,
                     })
                     .collect(),