From 14de492985c0a98e33d71f7704edb45c57dc3962 Mon Sep 17 00:00:00 2001 From: iceweasel-oai Date: Thu, 5 Mar 2026 22:15:10 -0800 Subject: [PATCH] copy current exe to CODEX_HOME/.sandbox-bin for apply_patch (#13669) We do this for codex-command-runner.exe as well for the same reason. Windows sandbox users cannot execute binaries in the WindowsApp/ installed directory for the Codex App. This causes apply-patch to fail because it tries to execute codex.exe as the sandbox user. --- .../core/src/tools/runtimes/apply_patch.rs | 20 +++++++++---- .../src/helper_materialization.rs | 29 +++++++++++++++++++ codex-rs/windows-sandbox-rs/src/lib.rs | 2 ++ 3 files changed, 46 insertions(+), 5 deletions(-) diff --git a/codex-rs/core/src/tools/runtimes/apply_patch.rs b/codex-rs/core/src/tools/runtimes/apply_patch.rs index 208c78c722..56c7e3dfce 100644 --- a/codex-rs/core/src/tools/runtimes/apply_patch.rs +++ b/codex-rs/core/src/tools/runtimes/apply_patch.rs @@ -46,13 +46,23 @@ impl ApplyPatchRuntime { Self } - fn build_command_spec(req: &ApplyPatchRequest) -> Result { - use std::env; + fn build_command_spec( + req: &ApplyPatchRequest, + _codex_home: &std::path::Path, + ) -> Result { let exe = if let Some(path) = &req.codex_exe { path.clone() } else { - env::current_exe() - .map_err(|e| ToolError::Rejected(format!("failed to determine codex exe: {e}")))? + #[cfg(target_os = "windows")] + { + codex_windows_sandbox::resolve_current_exe_for_launch(_codex_home, "codex.exe") + } + #[cfg(not(target_os = "windows"))] + { + std::env::current_exe().map_err(|e| { + ToolError::Rejected(format!("failed to determine codex exe: {e}")) + })? + } }; let program = exe.to_string_lossy().to_string(); Ok(CommandSpec { @@ -159,7 +169,7 @@ impl ToolRuntime for ApplyPatchRuntime { attempt: &SandboxAttempt<'_>, ctx: &ToolCtx, ) -> Result { - let spec = Self::build_command_spec(req)?; + let spec = Self::build_command_spec(req, &ctx.turn.config.codex_home)?; let env = attempt .env_for(spec, None) .map_err(|err| ToolError::Codex(err.into()))?; diff --git a/codex-rs/windows-sandbox-rs/src/helper_materialization.rs b/codex-rs/windows-sandbox-rs/src/helper_materialization.rs index cda0800628..37db3c59c2 100644 --- a/codex-rs/windows-sandbox-rs/src/helper_materialization.rs +++ b/codex-rs/windows-sandbox-rs/src/helper_materialization.rs @@ -88,6 +88,34 @@ pub(crate) fn resolve_helper_for_launch( } } +pub fn resolve_current_exe_for_launch( + codex_home: &Path, + fallback_executable: &str, +) -> PathBuf { + let source = match std::env::current_exe() { + Ok(path) => path, + Err(_) => return PathBuf::from(fallback_executable), + }; + let Some(file_name) = source.file_name() else { + return source; + }; + let destination = helper_bin_dir(codex_home).join(file_name); + match copy_from_source_if_needed(&source, &destination) { + Ok(_) => destination, + Err(err) => { + let sandbox_log_dir = crate::sandbox_dir(codex_home); + log_note( + &format!( + "helper copy failed for current executable: {err:#}; falling back to legacy path {}", + source.display() + ), + Some(&sandbox_log_dir), + ); + source + } + } +} + pub(crate) fn copy_helper_if_needed( kind: HelperExecutable, codex_home: &Path, @@ -349,3 +377,4 @@ mod tests { ); } } + diff --git a/codex-rs/windows-sandbox-rs/src/lib.rs b/codex-rs/windows-sandbox-rs/src/lib.rs index 565d589724..fcb2e9a334 100644 --- a/codex-rs/windows-sandbox-rs/src/lib.rs +++ b/codex-rs/windows-sandbox-rs/src/lib.rs @@ -60,6 +60,8 @@ pub use dpapi::unprotect as dpapi_unprotect; #[cfg(target_os = "windows")] pub use elevated_impl::run_windows_sandbox_capture as run_windows_sandbox_capture_elevated; #[cfg(target_os = "windows")] +pub use helper_materialization::resolve_current_exe_for_launch; +#[cfg(target_os = "windows")] pub use hide_users::hide_current_user_profile_dir; #[cfg(target_os = "windows")] pub use hide_users::hide_newly_created_users;