core: resolve host_executable() rules during preflight

Author: bolinfest

codex-rs/core/src/exec_policy.rs

@@ -13,6 +13,7 @@ use codex_execpolicy::AmendError;
 use codex_execpolicy::Decision;
 use codex_execpolicy::Error as ExecPolicyRuleError;
 use codex_execpolicy::Evaluation;
+use codex_execpolicy::MatchOptions;
 use codex_execpolicy::NetworkRuleProtocol;
 use codex_execpolicy::Policy;
 use codex_execpolicy::PolicyParser;
@@ -221,14 +222,22 @@ impl ExecPolicyManager {
                 used_complex_parsing,
             )
         };
-        let evaluation = exec_policy.check_multiple(commands.iter(), &exec_policy_fallback);
+        let match_options = MatchOptions {
+            resolve_host_executables: true,
+        };
+        let evaluation = exec_policy.check_multiple_with_options(
+            commands.iter(),
+            &exec_policy_fallback,
+            &match_options,
+        );
 
         let requested_amendment = derive_requested_execpolicy_amendment_from_prefix_rule(
             prefix_rule.as_ref(),
             &evaluation.matched_rules,
             exec_policy.as_ref(),
             &commands,
             &exec_policy_fallback,
+            &match_options,
         );
 
         match evaluation.decision {
@@ -630,6 +639,7 @@ fn derive_requested_execpolicy_amendment_from_prefix_rule(
     exec_policy: &Policy,
     commands: &[Vec<String>],
     exec_policy_fallback: &impl Fn(&[String]) -> Decision,
+    match_options: &MatchOptions,
 ) -> Option<ExecPolicyAmendment> {
     let prefix_rule = prefix_rule?;
     if prefix_rule.is_empty() {
@@ -656,6 +666,7 @@ fn derive_requested_execpolicy_amendment_from_prefix_rule(
         &amendment.command,
         commands,
         exec_policy_fallback,
+        match_options,
     ) {
         Some(amendment)
     } else {
@@ -668,6 +679,7 @@ fn prefix_rule_would_approve_all_commands(
     prefix_rule: &[String],
     commands: &[Vec<String>],
     exec_policy_fallback: &impl Fn(&[String]) -> Decision,
+    match_options: &MatchOptions,
 ) -> bool {
     let mut policy_with_prefix_rule = exec_policy.clone();
     if policy_with_prefix_rule
@@ -679,7 +691,7 @@ fn prefix_rule_would_approve_all_commands(
 
     commands.iter().all(|command| {
         policy_with_prefix_rule
-            .check(command, exec_policy_fallback)
+            .check_with_options(command, exec_policy_fallback, match_options)
             .decision
             == Decision::Allow
     })
@@ -849,6 +861,15 @@ mod tests {
         path.to_string_lossy().into_owned()
     }
 
+    fn host_program_path(name: &str) -> String {
+        let executable_name = if cfg!(windows) {
+            format!("{name}.exe")
+        } else {
+            name.to_string()
+        };
+        host_absolute_path(&["usr", "bin", &executable_name])
+    }
+
     fn starlark_string(value: &str) -> String {
         value.replace('\\', "\\\\").replace('"', "\\\"")
     }
@@ -1398,6 +1419,115 @@ prefix_rule(
         );
     }
 
+    #[tokio::test]
+    async fn absolute_path_exec_approval_requirement_matches_host_executable_rules() {
+        let git_path = host_program_path("git");
+        let git_path_literal = starlark_string(&git_path);
+        let policy_src = format!(
+            r#"
+host_executable(name = "git", paths = ["{git_path_literal}"])
+prefix_rule(pattern=["git"], decision="allow")
+"#
+        );
+        let mut parser = PolicyParser::new();
+        parser
+            .parse("test.rules", &policy_src)
+            .expect("parse policy");
+        let manager = ExecPolicyManager::new(Arc::new(parser.build()));
+        let command = vec![git_path, "status".to_string()];
+
+        let requirement = manager
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                command: &command,
+                approval_policy: AskForApproval::UnlessTrusted,
+                sandbox_policy: &SandboxPolicy::new_read_only_policy(),
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
+            .await;
+
+        assert_eq!(
+            requirement,
+            ExecApprovalRequirement::Skip {
+                bypass_sandbox: true,
+                proposed_execpolicy_amendment: None,
+            }
+        );
+    }
+
+    #[tokio::test]
+    async fn absolute_path_exec_approval_requirement_ignores_disallowed_host_executable_paths() {
+        let allowed_git_path = host_program_path("git");
+        let disallowed_git_path = host_absolute_path(&[
+            "opt",
+            "homebrew",
+            "bin",
+            if cfg!(windows) { "git.exe" } else { "git" },
+        ]);
+        let allowed_git_path_literal = starlark_string(&allowed_git_path);
+        let policy_src = format!(
+            r#"
+host_executable(name = "git", paths = ["{allowed_git_path_literal}"])
+prefix_rule(pattern=["git"], decision="prompt")
+"#
+        );
+        let mut parser = PolicyParser::new();
+        parser
+            .parse("test.rules", &policy_src)
+            .expect("parse policy");
+        let manager = ExecPolicyManager::new(Arc::new(parser.build()));
+        let command = vec![disallowed_git_path, "status".to_string()];
+
+        let requirement = manager
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                command: &command,
+                approval_policy: AskForApproval::UnlessTrusted,
+                sandbox_policy: &SandboxPolicy::new_read_only_policy(),
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
+            .await;
+
+        assert_eq!(
+            requirement,
+            ExecApprovalRequirement::Skip {
+                bypass_sandbox: false,
+                proposed_execpolicy_amendment: Some(ExecPolicyAmendment::new(command)),
+            }
+        );
+    }
+
+    #[tokio::test]
+    async fn requested_prefix_rule_can_approve_absolute_path_commands() {
+        let command = vec![
+            host_program_path("cargo"),
+            "install".to_string(),
+            "cargo-insta".to_string(),
+        ];
+        let manager = ExecPolicyManager::default();
+
+        let requirement = manager
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                command: &command,
+                approval_policy: AskForApproval::UnlessTrusted,
+                sandbox_policy: &SandboxPolicy::new_read_only_policy(),
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: Some(vec!["cargo".to_string(), "install".to_string()]),
+            })
+            .await;
+
+        assert_eq!(
+            requirement,
+            ExecApprovalRequirement::NeedsApproval {
+                reason: None,
+                proposed_execpolicy_amendment: Some(ExecPolicyAmendment::new(vec![
+                    "cargo".to_string(),
+                    "install".to_string(),
+                ])),
+            }
+        );
+    }
+
     #[tokio::test]
     async fn exec_approval_requirement_respects_approval_policy() {
         let policy_src = r#"prefix_rule(pattern=["rm"], decision="prompt")"#;
@@ -1952,6 +2082,7 @@ prefix_rule(
             &Policy::empty(),
             &commands,
             &|_: &[String]| Decision::Allow,
+            &MatchOptions::default(),
         )
     }