fix: ensure cwd for conversation and sandbox are separate concerns

Author: bolinfest

codex-rs/cli/src/debug_sandbox.rs

@@ -64,7 +64,6 @@ async fn run_command_under_sandbox(
     sandbox_type: SandboxType,
 ) -> anyhow::Result<()> {
     let sandbox_mode = create_sandbox_mode(full_auto);
-    let cwd = std::env::current_dir()?;
     let config = Config::load_with_cli_overrides(
         config_overrides
             .parse_overrides()
@@ -75,13 +74,29 @@ async fn run_command_under_sandbox(
             ..Default::default()
         },
     )?;
+
+    // In practice, this should be `std::env::current_dir()` because this CLI
+    // does not support `--cwd`, but let's use the config value for consistency.
+    let cwd = config.cwd.clone();
+    // For now, we always use the same cwd for both the command and the
+    // sandbox policy. In the future, we could add a CLI option to set them
+    // separately.
+    let sandbox_policy_cwd = cwd.clone();
+
     let stdio_policy = StdioPolicy::Inherit;
     let env = create_env(&config.shell_environment_policy);
 
     let mut child = match sandbox_type {
         SandboxType::Seatbelt => {
-            spawn_command_under_seatbelt(command, &config.sandbox_policy, cwd, stdio_policy, env)
-                .await?
+            spawn_command_under_seatbelt(
+                command,
+                cwd,
+                &config.sandbox_policy,
+                sandbox_policy_cwd.as_path(),
+                stdio_policy,
+                env,
+            )
+            .await?
         }
         SandboxType::Landlock => {
             #[expect(clippy::expect_used)]
@@ -91,8 +106,9 @@ async fn run_command_under_sandbox(
             spawn_command_under_linux_sandbox(
                 codex_linux_sandbox_exe,
                 command,
-                &config.sandbox_policy,
                 cwd,
+                &config.sandbox_policy,
+                sandbox_policy_cwd.as_path(),
                 stdio_policy,
                 env,
             )

codex-rs/core/src/codex.rs

@@ -1,6 +1,7 @@
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::collections::HashSet;
+use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::atomic::AtomicU64;
@@ -898,6 +899,7 @@ impl Session {
             exec_args.params,
             exec_args.sandbox_type,
             exec_args.sandbox_policy,
+            exec_args.sandbox_cwd,
             exec_args.codex_linux_sandbox_exe,
             exec_args.stdout_stream,
         )
@@ -2691,6 +2693,7 @@ pub struct ExecInvokeArgs<'a> {
     pub params: ExecParams,
     pub sandbox_type: SandboxType,
     pub sandbox_policy: &'a SandboxPolicy,
+    pub sandbox_cwd: &'a Path,
     pub codex_linux_sandbox_exe: &'a Option<PathBuf>,
     pub stdout_stream: Option<StdoutStream>,
 }
@@ -2882,6 +2885,7 @@ async fn handle_container_exec_with_params(
                 params: params.clone(),
                 sandbox_type,
                 sandbox_policy: &turn_context.sandbox_policy,
+                sandbox_cwd: &turn_context.cwd,
                 codex_linux_sandbox_exe: &sess.codex_linux_sandbox_exe,
                 stdout_stream: if exec_command_context.apply_patch.is_some() {
                     None
@@ -3016,6 +3020,7 @@ async fn handle_sandbox_error(
                         params,
                         sandbox_type: SandboxType::None,
                         sandbox_policy: &turn_context.sandbox_policy,
+                        sandbox_cwd: &turn_context.cwd,
                         codex_linux_sandbox_exe: &sess.codex_linux_sandbox_exe,
                         stdout_stream: if exec_command_context.apply_patch.is_some() {
                             None

codex-rs/core/src/exec.rs

@@ -3,6 +3,7 @@ use std::os::unix::process::ExitStatusExt;
 
 use std::collections::HashMap;
 use std::io;
+use std::path::Path;
 use std::path::PathBuf;
 use std::process::ExitStatus;
 use std::time::Duration;
@@ -82,6 +83,7 @@ pub async fn process_exec_tool_call(
     params: ExecParams,
     sandbox_type: SandboxType,
     sandbox_policy: &SandboxPolicy,
+    sandbox_cwd: &Path,
     codex_linux_sandbox_exe: &Option<PathBuf>,
     stdout_stream: Option<StdoutStream>,
 ) -> Result<ExecToolCallOutput> {
@@ -94,12 +96,16 @@ pub async fn process_exec_tool_call(
         SandboxType::None => exec(params, sandbox_policy, stdout_stream.clone()).await,
         SandboxType::MacosSeatbelt => {
             let ExecParams {
-                command, cwd, env, ..
+                command,
+                cwd: command_cwd,
+                env,
+                ..
             } = params;
             let child = spawn_command_under_seatbelt(
                 command,
+                command_cwd,
                 sandbox_policy,
-                cwd,
+                sandbox_cwd,
                 StdioPolicy::RedirectForShellTool,
                 env,
             )
@@ -108,7 +114,10 @@ pub async fn process_exec_tool_call(
         }
         SandboxType::LinuxSeccomp => {
             let ExecParams {
-                command, cwd, env, ..
+                command,
+                cwd: command_cwd,
+                env,
+                ..
             } = params;
 
             let codex_linux_sandbox_exe = codex_linux_sandbox_exe
@@ -117,8 +126,9 @@ pub async fn process_exec_tool_call(
             let child = spawn_command_under_linux_sandbox(
                 codex_linux_sandbox_exe,
                 command,
+                command_cwd,
                 sandbox_policy,
-                cwd,
+                sandbox_cwd,
                 StdioPolicy::RedirectForShellTool,
                 env,
             )

codex-rs/core/src/landlock.rs

@@ -16,21 +16,22 @@ use tokio::process::Child;
 pub async fn spawn_command_under_linux_sandbox<P>(
     codex_linux_sandbox_exe: P,
     command: Vec<String>,
+    command_cwd: PathBuf,
     sandbox_policy: &SandboxPolicy,
-    cwd: PathBuf,
+    sandbox_policy_cwd: &Path,
     stdio_policy: StdioPolicy,
     env: HashMap<String, String>,
 ) -> std::io::Result<Child>
 where
     P: AsRef<Path>,
 {
-    let args = create_linux_sandbox_command_args(command, sandbox_policy, &cwd);
+    let args = create_linux_sandbox_command_args(command, sandbox_policy, sandbox_policy_cwd);
     let arg0 = Some("codex-linux-sandbox");
     spawn_child_async(
         codex_linux_sandbox_exe.as_ref().to_path_buf(),
         args,
         arg0,
-        cwd,
+        command_cwd,
         sandbox_policy,
         stdio_policy,
         env,
@@ -42,10 +43,13 @@ where
 fn create_linux_sandbox_command_args(
     command: Vec<String>,
     sandbox_policy: &SandboxPolicy,
-    cwd: &Path,
+    sandbox_policy_cwd: &Path,
 ) -> Vec<String> {
     #[expect(clippy::expect_used)]
-    let sandbox_policy_cwd = cwd.to_str().expect("cwd must be valid UTF-8").to_string();
+    let sandbox_policy_cwd = sandbox_policy_cwd
+        .to_str()
+        .expect("cwd must be valid UTF-8")
+        .to_string();
 
     #[expect(clippy::expect_used)]
     let sandbox_policy_json =

codex-rs/core/src/seatbelt.rs

@@ -18,19 +18,20 @@ const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";
 
 pub async fn spawn_command_under_seatbelt(
     command: Vec<String>,
+    command_cwd: PathBuf,
     sandbox_policy: &SandboxPolicy,
-    cwd: PathBuf,
+    sandbox_policy_cwd: &Path,
     stdio_policy: StdioPolicy,
     mut env: HashMap<String, String>,
 ) -> std::io::Result<Child> {
-    let args = create_seatbelt_command_args(command, sandbox_policy, &cwd);
+    let args = create_seatbelt_command_args(command, sandbox_policy, sandbox_policy_cwd);
     let arg0 = None;
     env.insert(CODEX_SANDBOX_ENV_VAR.to_string(), "seatbelt".to_string());
     spawn_child_async(
         PathBuf::from(MACOS_PATH_TO_SEATBELT_EXECUTABLE),
         args,
         arg0,
-        cwd,
+        command_cwd,
         sandbox_policy,
         stdio_policy,
         env,
@@ -41,7 +42,7 @@ pub async fn spawn_command_under_seatbelt(
 fn create_seatbelt_command_args(
     command: Vec<String>,
     sandbox_policy: &SandboxPolicy,
-    cwd: &Path,
+    sandbox_policy_cwd: &Path,
 ) -> Vec<String> {
     let (file_write_policy, extra_cli_args) = {
         if sandbox_policy.has_full_disk_write_access() {
@@ -51,7 +52,7 @@ fn create_seatbelt_command_args(
                 Vec::<String>::new(),
             )
         } else {
-            let writable_roots = sandbox_policy.get_writable_roots_with_cwd(cwd);
+            let writable_roots = sandbox_policy.get_writable_roots_with_cwd(sandbox_policy_cwd);
 
             let mut writable_folder_policies: Vec<String> = Vec::new();
             let mut cli_args: Vec<String> = Vec::new();

codex-rs/core/src/shell.rs

@@ -349,6 +349,7 @@ mod tests {
                 },
                 SandboxType::None,
                 &SandboxPolicy::DangerFullAccess,
+                temp_home.path(),
                 &None,
                 None,
             )
@@ -455,6 +456,7 @@ mod macos_tests {
                 },
                 SandboxType::None,
                 &SandboxPolicy::DangerFullAccess,
+                temp_home.path(),
                 &None,
                 None,
             )

codex-rs/core/tests/suite/exec.rs

@@ -39,7 +39,7 @@ async fn run_test_cmd(tmp: TempDir, cmd: Vec<&str>) -> Result<ExecToolCallOutput
 
     let policy = SandboxPolicy::new_read_only_policy();
 
-    process_exec_tool_call(params, sandbox_type, &policy, &None, None).await
+    process_exec_tool_call(params, sandbox_type, &policy, tmp.path(), &None, None).await
 }
 
 /// Command succeeds with exit code 0 normally

codex-rs/core/tests/suite/exec_stream_events.rs

@@ -49,9 +49,10 @@ async fn test_exec_stdout_stream_events_echo() {
         "printf 'hello-world\n'".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(5_000),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -64,6 +65,7 @@ async fn test_exec_stdout_stream_events_echo() {
         params,
         SandboxType::None,
         &policy,
+        cwd.as_path(),
         &None,
         Some(stdout_stream),
     )
@@ -99,9 +101,10 @@ async fn test_exec_stderr_stream_events_echo() {
         "printf 'oops\n' 1>&2".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(5_000),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -114,6 +117,7 @@ async fn test_exec_stderr_stream_events_echo() {
         params,
         SandboxType::None,
         &policy,
+        cwd.as_path(),
         &None,
         Some(stdout_stream),
     )
@@ -152,9 +156,10 @@ async fn test_aggregated_output_interleaves_in_order() {
         "printf 'O1\\n'; sleep 0.01; printf 'E1\\n' 1>&2; sleep 0.01; printf 'O2\\n'; sleep 0.01; printf 'E2\\n' 1>&2".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(5_000),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -163,9 +168,16 @@ async fn test_aggregated_output_interleaves_in_order() {
 
     let policy = SandboxPolicy::new_read_only_policy();
 
-    let result = process_exec_tool_call(params, SandboxType::None, &policy, &None, None)
-        .await
-        .expect("process_exec_tool_call");
+    let result = process_exec_tool_call(
+        params,
+        SandboxType::None,
+        &policy,
+        cwd.as_path(),
+        &None,
+        None,
+    )
+    .await
+    .expect("process_exec_tool_call");
 
     assert_eq!(result.exit_code, 0);
     assert_eq!(result.stdout.text, "O1\nO2\n");
@@ -182,9 +194,10 @@ async fn test_exec_timeout_returns_partial_output() {
         "printf 'before\\n'; sleep 2; printf 'after\\n'".to_string(),
     ];
 
+    let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
     let params = ExecParams {
         command: cmd,
-        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        cwd: cwd.clone(),
         timeout_ms: Some(200),
         env: HashMap::new(),
         with_escalated_permissions: None,
@@ -193,7 +206,15 @@ async fn test_exec_timeout_returns_partial_output() {
 
     let policy = SandboxPolicy::new_read_only_policy();
 
-    let result = process_exec_tool_call(params, SandboxType::None, &policy, &None, None).await;
+    let result = process_exec_tool_call(
+        params,
+        SandboxType::None,
+        &policy,
+        cwd.as_path(),
+        &None,
+        None,
+    )
+    .await;
 
     let Err(CodexErr::Sandbox(SandboxErr::Timeout { output })) = result else {
         panic!("expected timeout error");

codex-rs/core/tests/suite/seatbelt.rs

@@ -171,6 +171,8 @@ async fn python_getpwuid_works_under_seatbelt() {
 
     // ReadOnly is sufficient here since we are only exercising user lookup.
     let policy = SandboxPolicy::ReadOnly;
+    let command_cwd = std::env::current_dir().expect("getcwd");
+    let sandbox_cwd = command_cwd.clone();
 
     let mut child = spawn_command_under_seatbelt(
         vec![
@@ -179,8 +181,9 @@ async fn python_getpwuid_works_under_seatbelt() {
             // Print the passwd struct; success implies lookup worked.
             "import pwd, os; print(pwd.getpwuid(os.getuid()))".to_string(),
         ],
+        command_cwd,
         &policy,
-        std::env::current_dir().expect("should be able to get current dir"),
+        sandbox_cwd.as_path(),
         StdioPolicy::RedirectForShellTool,
         HashMap::new(),
     )
@@ -216,13 +219,16 @@ fn create_test_scenario(tmp: &TempDir) -> TestScenario {
 /// Note that `path` must be absolute.
 async fn touch(path: &Path, policy: &SandboxPolicy) -> bool {
     assert!(path.is_absolute(), "Path must be absolute: {path:?}");
+    let command_cwd = std::env::current_dir().expect("getcwd");
+    let sandbox_cwd = command_cwd.clone();
     let mut child = spawn_command_under_seatbelt(
         vec![
             "/usr/bin/touch".to_string(),
             path.to_string_lossy().to_string(),
         ],
+        command_cwd,
         policy,
-        std::env::current_dir().expect("should be able to get current dir"),
+        sandbox_cwd.as_path(),
         StdioPolicy::RedirectForShellTool,
         HashMap::new(),
     )