Skip to content

fix: enforce sandbox envelope for zsh fork execution#12800

Merged
bolinfest merged 1 commit intomainfrom
pr12800
Feb 25, 2026
Merged

fix: enforce sandbox envelope for zsh fork execution#12800
bolinfest merged 1 commit intomainfrom
pr12800

Conversation

@bolinfest
Copy link
Collaborator

@bolinfest bolinfest commented Feb 25, 2026
edited
Loading

Why

Zsh fork execution was still able to bypass the WorkspaceWrite model in edge cases because the fork path reconstructed command execution without preserving sandbox wrappers, and command extraction only accepted shell invocations in a narrow positional shape. This can allow commands to run with broader filesystem access than expected, which breaks the sandbox safety model.

What changed

  • Preserved the sandboxed ExecRequest produced by attempt.env_for(...) when entering the zsh fork path in unix_escalation.rs.
  • Updated CoreShellCommandExecutor to execute the sandboxed command and working directory captured from attempt.env_for(...), instead of re-running a freshly reconstructed shell command.
  • Made zsh-fork script extraction robust to wrapped invocations by scanning command arguments for -c/-lc rather than only matching the first positional form.
  • Added unit tests in unix_escalation.rs to lock in wrapper-tolerant parsing behavior and keep unsupported shell forms rejected.
  • Tightened the regression in skill_approval.rs:
    • shell_zsh_fork_still_enforces_workspace_write_sandbox now uses an explicit WorkspaceWrite policy with exclude_tmpdir_env_var: true and exclude_slash_tmp: true.
    • The test attempts to write to /tmp/..., which is only reliably outside writable roots with those explicit exclusions set.

Verification

  • Added and passed the new unit tests around extract_shell_script parsing behavior with wrapped command shapes.
    • extract_shell_script_supports_wrapped_command_prefixes
    • extract_shell_script_rejects_unsupported_shell_invocation
  • Verified the regression with the focused integration test: shell_zsh_fork_still_enforces_workspace_write_sandbox.

Manual Testing

Prior to this change, if I ran Codex via:

just codex --config zsh_path=/Users/mbolin/code/codex2/codex-rs/app-server/tests/suite/zsh --enable shell_zsh_fork

and asked:

what is the output of /bin/ps

it would run it, even though the default sandbox should prevent the agent from running /bin/ps because it is setuid on MacOS.

But with this change, I now see the expected failure because it is blocked by the sandbox:

/bin/ps exited with status 1 and produced no output in this environment.

@bolinfest bolinfest changed the title fix: zsh-shell-fork was not honoring sandbox fix: enforce sandbox envelope in zsh-fork shell execution Feb 25, 2026
@bolinfest bolinfest changed the title fix: enforce sandbox envelope in zsh-fork shell execution fix: enforce sandbox envelope for zsh fork execution Feb 25, 2026
@bolinfest bolinfest merged commit 648a420 into main Feb 25, 2026
50 of 58 checks passed
@bolinfest bolinfest deleted the pr12800 branch February 25, 2026 19:05
@github-actions github-actions bot locked and limited conversation to collaborators Feb 25, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pakrym-oai pakrym-oai pakrym-oai approved these changes

@nornagon-openai nornagon-openai Awaiting requested review from nornagon-openai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bolinfest @pakrym-oai