consolidate world-writable-directories scanning. (#7234)

clean up the code for scanning for world writable directories

One path (selecting a sandbox mode from /approvals) was using an
incorrect method that did not use the new method of creating deny aces
to prevent writing to those directories. Now all paths are the same.

codex-rs/windows-sandbox-rs/src/lib.rs

@@ -7,21 +7,17 @@ macro_rules! windows_modules {
 windows_modules!(acl, allow, audit, cap, env, logging, policy, token, winutil);
 
 #[cfg(target_os = "windows")]
-pub use audit::world_writable_warning_details;
-#[cfg(target_os = "windows")]
-pub use windows_impl::preflight_audit_everyone_writable;
+pub use audit::apply_world_writable_scan_and_denies;
 #[cfg(target_os = "windows")]
 pub use windows_impl::run_windows_sandbox_capture;
 #[cfg(target_os = "windows")]
 pub use windows_impl::CaptureResult;
 
 #[cfg(not(target_os = "windows"))]
-pub use stub::preflight_audit_everyone_writable;
+pub use stub::apply_world_writable_scan_and_denies;
 #[cfg(not(target_os = "windows"))]
 pub use stub::run_windows_sandbox_capture;
 #[cfg(not(target_os = "windows"))]
-pub use stub::world_writable_warning_details;
-#[cfg(not(target_os = "windows"))]
 pub use stub::CaptureResult;
 
 #[cfg(target_os = "windows")]
@@ -30,7 +26,6 @@ mod windows_impl {
     use super::acl::allow_null_device;
     use super::acl::revoke_ace;
     use super::allow::compute_allow_paths;
-    use super::audit;
     use super::cap::cap_sid_file;
     use super::cap::load_or_create_cap_sids;
     use super::env::apply_no_network_to_env;
@@ -38,7 +33,6 @@ mod windows_impl {
     use super::env::normalize_null_device_env;
     use super::logging::debug_log;
     use super::logging::log_failure;
-    use super::logging::log_note;
     use super::logging::log_start;
     use super::logging::log_success;
     use super::policy::parse_policy;
@@ -182,32 +176,6 @@ mod windows_impl {
         pub timed_out: bool,
     }
 
-    pub fn preflight_audit_everyone_writable(
-        codex_home: &Path,
-        cwd: &Path,
-        env_map: &HashMap<String, String>,
-        sandbox_policy: &SandboxPolicy,
-        logs_base_dir: Option<&Path>,
-    ) -> Result<Vec<PathBuf>> {
-        let flagged = audit::audit_everyone_writable(cwd, env_map, logs_base_dir)?;
-        if flagged.is_empty() {
-            return Ok(flagged);
-        }
-        if let Err(err) = audit::apply_capability_denies_for_world_writable(
-            codex_home,
-            &flagged,
-            sandbox_policy,
-            cwd,
-            logs_base_dir,
-        ) {
-            log_note(
-                &format!("AUDIT: failed to apply capability deny ACEs: {}", err),
-                logs_base_dir,
-            );
-        }
-        Ok(Vec::new())
-    }
-
     pub fn run_windows_sandbox_capture(
         policy_json_or_preset: &str,
         sandbox_policy_cwd: &Path,
@@ -502,16 +470,6 @@ mod stub {
         pub timed_out: bool,
     }
 
-    pub fn preflight_audit_everyone_writable(
-        _codex_home: &Path,
-        _cwd: &Path,
-        _env_map: &HashMap<String, String>,
-        _sandbox_policy: &SandboxPolicy,
-        _logs_base_dir: Option<&Path>,
-    ) -> Result<Vec<std::path::PathBuf>> {
-        bail!("Windows sandbox is only available on Windows")
-    }
-
     pub fn run_windows_sandbox_capture(
         _policy_json_or_preset: &str,
         _sandbox_policy_cwd: &Path,
@@ -524,10 +482,13 @@ mod stub {
         bail!("Windows sandbox is only available on Windows")
     }
 
-    pub fn world_writable_warning_details(
-        _codex_home: impl AsRef<Path>,
-        _cwd: impl AsRef<Path>,
-    ) -> Option<(Vec<String>, usize, bool)> {
-        None
+    pub fn apply_world_writable_scan_and_denies(
+        _codex_home: &Path,
+        _cwd: &Path,
+        _env_map: &HashMap<String, String>,
+        _sandbox_policy: &SandboxPolicy,
+        _logs_base_dir: Option<&Path>,
+    ) -> Result<()> {
+        bail!("Windows sandbox is only available on Windows")
     }
 }