by quotemstr 6 hours ago

I have a local patch that reads a new config section that looks like this:

    [sandbox.always.filesystem]                                      
     "~/.config" = "none"   
     "~/.config/git" = "read"
(In other words, "other configuration notwithstanding, disallow reads under ~/.config, but do allow reads under ~/.config/git")

I then force-merge the restrictions in this sandbox profile into all other sandbox profiles. I also added a new tiered sandboxing mode: now escalated commands, like regular commands, also run in a sandbox: just a more liberal one still subject to sandbox.always.filesystem rules. I added a new menu option to escalate (manually, one-shot) to truly-outside-sandbox mode for those few commands that aren't happy under any bwrap user namespace.

For simplicity, I also rewrote the built-in tools to just work through executing commands in the sandbox. Why is ReadFile something separate from cat-in-sandbox? why do we have two rule-enforcement systems, one for shell commands and one for tools? Well, now we don't.

Took me a few hours while I was doing other stuff. I love free software. I don't understand why you'd run Codex and not customize it locally.

I feel a bit guilty about not sending the patch upstream. It's just so much easier to fix software locally than get improvements landed upstream, especially now that LLMs make carrying patches forward easy.