Skip to content

[codex core] Require approval for fake shell escalation#22171

Open
evawong-oai wants to merge 1 commit into
mainfrom
codex/cli-8725-fake-shell-sandbox-escape
Open

[codex core] Require approval for fake shell escalation#22171
evawong-oai wants to merge 1 commit into
mainfrom
codex/cli-8725-fake-shell-sandbox-escape

Conversation

@evawong-oai
Copy link
Copy Markdown
Contributor

@evawong-oai evawong-oai commented May 11, 2026

Summary

  1. Require approval when a known safe command also requests sandbox expansion.
  2. Keep the shell executable identity in approval cache keys for Bash and PowerShell wrappers.
  3. Treat a model supplied exec command shell as mutating, then cover the fake shell path with an integration regression.

Why

CLI 8725 reported that a fake bash wrapper could hide behind an inner ls call and run outside the sandbox with no user approval. This PR keeps command safety separate from permission safety.

Validation

  1. Ran formatter.
  2. Ran the codex core fake shell integration regression.
  3. Ran the focused codex core policy, canonicalization, and mutating shell tests.
  4. Ran the codex core clippy fix check.
  5. AWS macOS VM reproduced current main and passed the patched worktree. Current main created the proof file. The patched worktree created no proof file.

Tickets

CLI 8725

@evawong-oai evawong-oai marked this pull request as ready for review May 11, 2026 18:24
@evawong-oai evawong-oai requested a review from a team as a code owner May 11, 2026 18:24
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

codex/codex-rs/core/src/exec_policy.rs

Lines 345 to 349 in a8b6f3e

proposed_execpolicy_amendment: requested_amendment.or_else(|| {
if auto_amendment_allowed {
try_derive_execpolicy_amendment_for_prompt_rules(
&evaluation.matched_rules,
)

P1 Badge Omit unsafe amendments for shell overrides

The fake-shell path now prompts, but it still proposes an execpolicy amendment for only the parsed inner command (for /tmp/.../bash -lc ls, ['ls']). If the user accepts that amendment, it is persisted as an allow rule, so the same fake shell with RequireEscalated later becomes an explicit policy allow and bypasses the sandbox without another approval. Suppress amendments for sandbox overrides/model shells or include the wrapper identity.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/core/src/exec_policy.rs
@evawong-oai evawong-oai force-pushed the codex/cli-8725-fake-shell-sandbox-escape branch from a8b6f3e to 5277dc8 Compare May 11, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@evawong-oai