core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/shell-escalation
History
Michael Bolin c4ec6be4ab
fix: keep shell escalation exec paths absolute (#12750) 
## Why

In the `shell_zsh_fork` flow, `codex-shell-escalation` receives the
executable path exactly as the shell passed it to `execve()`. That path
is not guaranteed to be absolute.

For commands such as `./scripts/hello-mbolin.sh`, if the shell was
launched with a different `workdir`, resolving the intercepted `file`
against the server process working directory makes policy checks and
skill matching inspect the wrong executable. This change pushes that fix
a step further by keeping the normalized path typed as `AbsolutePathBuf`
throughout the rest of the escalation pipeline.

That makes the absolute-path invariant explicit, so later code cannot
accidentally treat the resolved executable path as an arbitrary
`PathBuf`.

## What Changed

- record the wrapper process working directory as an `AbsolutePathBuf`
- update the escalation protocol so `workdir` is explicitly absolute
while `file` remains the raw intercepted exec path
- resolve a relative intercepted `file` against the request `workdir` as
soon as the server receives the request
- thread `AbsolutePathBuf` through `EscalationPolicy`,
`CoreShellActionProvider`, and command normalization helpers so the
resolved executable path stays type-checked as absolute
- replace the `path-absolutize` dependency in `codex-shell-escalation`
with `codex-utils-absolute-path`
- add a regression test that covers a relative `file` with a distinct
`workdir`

## Verification

- `cargo test -p codex-shell-escalation`
2026-02-24 23:52:36 -08:00
..
src fix: keep shell escalation exec paths absolute (#12750) 2026-02-24 23:52:36 -08:00
BUILD.bazel refactor: normalize unix module layout for exec-server and shell-escalation (#12556) 2026-02-23 09:28:17 -08:00
Cargo.toml fix: keep shell escalation exec paths absolute (#12750) 2026-02-24 23:52:36 -08:00
README.md refactor: delete exec-server and move execve wrapper into shell-escalation (#12632) 2026-02-23 20:10:22 -08:00

README.md

codex-shell-escalation

This crate contains the Unix shell-escalation protocol implementation and the codex-execve-wrapper executable.

codex-execve-wrapper receives the arguments to an intercepted execve(2) call and delegates the decision to the shell-escalation protocol over a shared file descriptor (specified by the CODEX_ESCALATE_SOCKET environment variable). The server on the other side replies with one of:

  • Run: codex-execve-wrapper should invoke execve(2) on itself to run the original command within the sandboxed shell.
  • Escalate: forward the file descriptors of the current process so the command can be run faithfully outside the sandbox. When the process completes, the server forwards the exit code back to codex-execve-wrapper.
  • Deny: the server has declared the proposed command to be forbidden, so codex-execve-wrapper prints an error to stderr and exits with 1.

Patched Bash

We carry a small patch to execute_cmd.c (see patches/bash-exec-wrapper.patch) that adds support for EXEC_WRAPPER. The original commit message is “add support for BASH_EXEC_WRAPPER” and the patch applies cleanly to a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b from https://github.com/bminor/bash. To rebuild manually:

git clone https://github.com/bminor/bash
git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
git apply /path/to/patches/bash-exec-wrapper.patch
./configure --without-bash-malloc
make -j"$(nproc)"