feat(core) Introduce Feature::RequestPermissions#11871
Conversation
cf57554 to
686a4ba
Compare
b01add8 to
61850cc
Compare
129cf27 to
ea396ea
Compare
| ), | ||
| network_approval_context: None, | ||
| proposed_execpolicy_amendment: None, | ||
| additional_permissions: None, |
There was a problem hiding this comment.
Should network_approval_context and additional_permissions be somehow merged?
There was a problem hiding this comment.
Soon! I think both are still actively being worked on - I'd like to merge once we've stabilized the APIs
|
|
||
| When you need extra filesystem access for one command, use: | ||
|
|
||
| - `sandbox_permissions: "with_additional_permissions"` |
There was a problem hiding this comment.
do we need to make the model set sandbox_permissions?
There was a problem hiding this comment.
Technically no, but I think this is helpful for consistency with require_escalated
|
I think this PR needs a ton more integration tests that both verify that additional permissions work, error responses an that things are escalated/not escalated accordingly. |
| access: merge_read_only_access_with_additional_reads(access, extra_reads), | ||
| } | ||
| } else { | ||
| SandboxPolicy::WorkspaceWrite { |
There was a problem hiding this comment.
I think here there is a small bug. ReadOnly basically means the user does not want the model to write anywhere (cwd included).
In this specific case, the model ask to be able to write in one specific directory (from extra_writes). But if we check how WorkspaceWrite is used, we see in get_writable_roots_with_cwd that by default it gives access to writable_root=extra_writes AND the cwd (and /tmp btw).
This means this permission request implicitly give access to the full CWD
There was a problem hiding this comment.
Should have added a comment here - I agree that this doesn't map perfectly. We could add a new SandboxPolicy::SpecificWrite which doesn't include the cwd
There was a problem hiding this comment.
I've opened #12504 as an example of how we might support fine-grained controls here
There was a problem hiding this comment.
SG, must be a blocker to release the feature
There was a problem hiding this comment.
100% agreed!
ea396ea to
3e74264
Compare
39ce688 to
fb8cba4
Compare
a2cfdae to
fb60743
Compare
fb60743 to
8bb9995
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8bb9995c2c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| SandboxPolicy::WorkspaceWrite { | ||
| writable_roots: dedup_absolute_paths(extra_writes), | ||
| read_only_access: merge_read_only_access_with_additional_reads( | ||
| access, | ||
| extra_reads, | ||
| ), | ||
| network_access: false, | ||
| exclude_tmpdir_env_var: false, | ||
| exclude_slash_tmp: false, |
There was a problem hiding this comment.
Preserve read-only sandbox when granting extra write paths
Do not upgrade ReadOnly to WorkspaceWrite for fs_write grants. This branch widens access beyond requested paths by enabling workspace-write defaults (exclude_tmpdir_env_var: false, exclude_slash_tmp: false), so approved commands can write to unrequested locations (e.g., cwd/tmp). That breaks least-privilege and can expose unintended file modification paths.
Useful? React with 👍 / 👎.
jif-oai
left a comment
There was a problem hiding this comment.
Not ready to land because of the read escalation thing but good to iterate on
| ); | ||
| } | ||
|
|
||
| if uses_additional_permissions { |
There was a problem hiding this comment.
I guess this is intended that if we are in full access, the request is basically ignored?
There was a problem hiding this comment.
I think the intention here is to remain similar to OnRequest behavior!
There was a problem hiding this comment.
This code might be overly defensive, since it's already handled here. will think about how to clean up as we iterate on this feature
| SandboxPolicy::WorkspaceWrite { | ||
| writable_roots: dedup_absolute_paths(extra_writes), | ||
| read_only_access: merge_read_only_access_with_additional_reads( | ||
| access, | ||
| extra_reads, | ||
| ), | ||
| network_access: false, | ||
| exclude_tmpdir_env_var: false, | ||
| exclude_slash_tmp: false, |
Summary
Introduces the initial implementation of Feature::RequestPermissions. RequestPermissions allows the model to request that a command be run inside the sandbox, with additional permissions, like writing to a specific folder. Eventually this will include other rules as well, and the ability to persist these permissions, but this PR is already quite large - let's get the core flow working and go from there!
Testing