tests: characterize macOS sandbox link writes by bolinfest · Pull Request #21845 · openai/codex

bolinfest · 2026-05-08T23:15:27Z

Why

#21819 adds high-level coverage for sandboxed apply_patch and sandboxed fs/writeFile behavior around link aliases. This follow-up tests the lower-level macOS workspace-write sandbox directly so the boundary is explicit.

The important distinction is that writing an existing hard link inside the writable workspace preserves normal filesystem semantics, but that is not an arbitrary-write primitive by itself: the sandbox rejects creating a new hard link to a file outside the workspace, and it rejects symlink write-through to an outside target.

What Changed

Added macOS-only codex-exec sandbox tests that verify workspace-write:

allows writing through an existing hard link inside the workspace, mutating the shared inode;
rejects writing through an existing symlink to an outside file;
rejects creating a hard link to an outside file from inside the sandbox.

Testing

cargo test -p codex-exec macos_workspace_write
just fix -p codex-exec

Stack created with Sapling. Best reviewed with ReviewStack.

bolinfest requested a review from a team as a code owner May 8, 2026 23:15

bolinfest changed the base branch from main to pr21819 May 8, 2026 23:15

bolinfest mentioned this pull request May 8, 2026

tests: cover sandbox link write behavior #21819

Open

evawong-oai approved these changes May 8, 2026

View reviewed changes

bolinfest force-pushed the pr21819 branch from b191846 to 5b07ee6 Compare May 9, 2026 00:04

bolinfest force-pushed the pr21845 branch from 8874edd to e798cf3 Compare May 9, 2026 00:07

bolinfest changed the title ~~tests: demonstrate macos hard-link sandbox escape~~ tests: characterize macOS sandbox link writes May 9, 2026

bolinfest force-pushed the pr21819 branch from 5b07ee6 to b50e4f8 Compare May 9, 2026 00:13

bolinfest force-pushed the pr21845 branch from e798cf3 to 5ee77cb Compare May 9, 2026 00:13

bolinfest force-pushed the pr21819 branch from b50e4f8 to a38c847 Compare May 9, 2026 00:19

bolinfest force-pushed the pr21845 branch from 5ee77cb to 2f237af Compare May 9, 2026 00:19

bolinfest force-pushed the pr21819 branch from 501350c to ebddba6 Compare May 9, 2026 00:36

bolinfest force-pushed the pr21845 branch from 2f237af to 9b0ffba Compare May 9, 2026 00:36

tests: characterize macOS sandbox link writes

7f3c36a

bolinfest force-pushed the pr21819 branch from ebddba6 to 3dc8d98 Compare May 9, 2026 01:39

bolinfest force-pushed the pr21845 branch from 9b0ffba to 7f3c36a Compare May 9, 2026 01:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tests: characterize macOS sandbox link writes#21845

tests: characterize macOS sandbox link writes#21845
bolinfest wants to merge 1 commit intopr21819from
pr21845

bolinfest commented May 8, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

bolinfest commented May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why

What Changed

Testing

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

bolinfest commented May 8, 2026 •

edited

Loading