From fa767871cb9b73be04a13aaa8554caa97c4c7a44 Mon Sep 17 00:00:00 2001 From: Eric Traut Date: Wed, 11 Feb 2026 16:42:14 -0800 Subject: [PATCH] Added seatbelt policy rule to allow os.cpus (#11277) I don't think this policy change increases the risk, other than potentially exposing the caller to bugs in these kernel calls, which are unlikely. Without this change, some tools are silently failing or making incorrect decisions about the processor type (e.g. installing x86 binaries rather than Apple silicon binaries). This addresses #11210 --------- Co-authored-by: viyatb-oai --- codex-rs/core/src/seatbelt.rs | 12 ++++++++++++ codex-rs/core/src/seatbelt_base_policy.sbpl | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/codex-rs/core/src/seatbelt.rs b/codex-rs/core/src/seatbelt.rs index e2061b52d..f71d06160 100644 --- a/codex-rs/core/src/seatbelt.rs +++ b/codex-rs/core/src/seatbelt.rs @@ -314,6 +314,18 @@ mod tests { ); } + #[test] + fn base_policy_allows_node_cpu_sysctls() { + assert!( + MACOS_SEATBELT_BASE_POLICY.contains("(sysctl-name \"machdep.cpu.brand_string\")"), + "base policy must allow CPU brand lookup for os.cpus()" + ); + assert!( + MACOS_SEATBELT_BASE_POLICY.contains("(sysctl-name \"hw.model\")"), + "base policy must allow hardware model lookup for os.cpus()" + ); + } + #[test] fn create_seatbelt_args_routes_network_through_proxy_ports() { let policy = dynamic_network_policy( diff --git a/codex-rs/core/src/seatbelt_base_policy.sbpl b/codex-rs/core/src/seatbelt_base_policy.sbpl index 236f7a139..00676a86f 100644 --- a/codex-rs/core/src/seatbelt_base_policy.sbpl +++ b/codex-rs/core/src/seatbelt_base_policy.sbpl @@ -39,6 +39,7 @@ (sysctl-name "hw.l3cachesize_compat") (sysctl-name "hw.logicalcpu_max") (sysctl-name "hw.machine") + (sysctl-name "hw.model") (sysctl-name "hw.memsize") (sysctl-name "hw.ncpu") (sysctl-name "hw.nperflevels") @@ -51,8 +52,11 @@ (sysctl-name "hw.pagesize") (sysctl-name "hw.physicalcpu") (sysctl-name "hw.physicalcpu_max") + (sysctl-name "hw.logicalcpu") + (sysctl-name "hw.cpufrequency") (sysctl-name "hw.tbfrequency_compat") (sysctl-name "hw.vectorunit") + (sysctl-name "machdep.cpu.brand_string") (sysctl-name "kern.argmax") (sysctl-name "kern.hostname") (sysctl-name "kern.maxfilesperproc")