feat: update sandbox policy to allow TTY

[jif-oai]

Change: Seatbelt now allows file-ioctl on /dev/ttys[0-9]+ even without the sandbox extension so pre-created PTYs remain interactive (Python REPL, shells).

Risk: A seatbelted process that already holds a PTY fd (including one it shouldn’t) could issue tty ioctls like TIOCSTI or termios changes on that fd. This doesn’t allow opening new PTYs or reading/writing them; it only broadens ioctl capability on existing fds.

Why acceptable: We already hand the child its PTY for interactive use; restoring ioctls is required for isatty() and prompts to work. The attack requires being given or inheriting a sensitive PTY fd; by design we don’t hand untrusted processes other users’ PTYs (we don't hand them any PTYs actually), so the practical exposure is limited to the PTY intentionally allocated for the session.

Validation:
Running

start a python interpreter and keep it running

Followed by:

• calculate 1+1 using it -> works as expected
• Use this Python session to run the command just fix in /Users/jif/code/codex/codex-rs -> does not work as expected

[jif-oai]

@codex Can you add an integration test for MacOS? Just try to open a Python REPL and make sure we have >>>

[chatgpt-codex-connector]

Summary

• Added a macOS seatbelt integration test that launches a Python REPL through a pseudo-terminal, waits for the >>> prompt, and exits cleanly to confirm interactive PTY support under the sandbox. codex-rs/core/tests/suite/seatbelt.rsL205-L317

Testing

• ✅ just fmt codex-rs/target/just-fmt.logL1-L5
• ✅ just fix -p codex-core codex-rs/target/just-fix-codex-core.logL1-L25
• ❌ cargo test -p codex-core (fails: default_client::tests::test_get_codex_user_agent, default_client::tests::test_create_client_sets_default_headers, exec::tests::kill_child_process_group_kills_grandchildren_on_timeout) codex-rs/target/cargo-test-codex-core.logL560-L585

View task →

[nornagon-openai]

ioctl on non-sandbox ptys seems ok.