From 4a5013386b8a71f614971614c152b6abe3341f80 Mon Sep 17 00:00:00 2001 From: Chris Bookholt Date: Mon, 11 May 2026 20:02:46 +0000 Subject: [PATCH] [codex] Stop Windows sandbox setup after filter installation failure Treat filter installation failure as a setup failure instead of allowing offline sandbox initialization to continue. Co-authored-by: Codex --- .../src/bin/setup_main/win.rs | 8 ++- codex-rs/windows-sandbox-rs/src/wfp_setup.rs | 65 +++++++++++-------- 2 files changed, 46 insertions(+), 27 deletions(-) diff --git a/codex-rs/windows-sandbox-rs/src/bin/setup_main/win.rs b/codex-rs/windows-sandbox-rs/src/bin/setup_main/win.rs index 549eb2426d..ab27e1ff2f 100644 --- a/codex-rs/windows-sandbox-rs/src/bin/setup_main/win.rs +++ b/codex-rs/windows-sandbox-rs/src/bin/setup_main/win.rs @@ -610,7 +610,13 @@ fn run_setup_full(payload: &Payload, log: &mut File, sbx_dir: &Path) -> Result<( |message| { let _ = log_line(log, message); }, - ); + ) + .map_err(|err| { + anyhow::Error::new(SetupFailure::new( + SetupErrorCode::HelperFirewallRuleCreateOrAddFailed, + format!("install WFP filters failed: {err}"), + )) + })?; } if payload.read_roots.is_empty() { diff --git a/codex-rs/windows-sandbox-rs/src/wfp_setup.rs b/codex-rs/windows-sandbox-rs/src/wfp_setup.rs index 351d2edd2f..568fabf372 100644 --- a/codex-rs/windows-sandbox-rs/src/wfp_setup.rs +++ b/codex-rs/windows-sandbox-rs/src/wfp_setup.rs @@ -128,48 +128,61 @@ pub fn install_wfp_filters( offline_username: &str, otel: Option<&StatsigMetricsSettings>, mut log: F, -) where +) -> Result<()> +where F: FnMut(&str), { - let metric = match std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| { - install_wfp_filters_for_account(offline_username) - })) { + let (metric, install_result) = match std::panic::catch_unwind(std::panic::AssertUnwindSafe( + || install_wfp_filters_for_account(offline_username), + )) { Ok(Ok(installed_filter_count)) => { log(&format!( "WFP setup succeeded for {offline_username} with {installed_filter_count} installed filters" )); - WfpSetupMetric { - outcome: WfpSetupMetricOutcome::Success, - target_account: offline_username.to_string(), - installed_filter_count, - error: None, - } + ( + WfpSetupMetric { + outcome: WfpSetupMetricOutcome::Success, + target_account: offline_username.to_string(), + installed_filter_count, + error: None, + }, + Ok(()), + ) } Ok(Err(err)) => { let error = err.to_string(); - log(&format!( - "WFP setup failed for {offline_username}: {error}; continuing elevated setup" - )); - WfpSetupMetric { - outcome: WfpSetupMetricOutcome::Failure, - target_account: offline_username.to_string(), - installed_filter_count: 0, - error: Some(error), - } + log(&format!("WFP setup failed for {offline_username}: {error}")); + ( + WfpSetupMetric { + outcome: WfpSetupMetricOutcome::Failure, + target_account: offline_username.to_string(), + installed_filter_count: 0, + error: Some(error.clone()), + }, + Err(anyhow::anyhow!( + "WFP setup failed for {offline_username}: {error}" + )), + ) } Err(panic_payload) => { let error = panic_payload_to_string(panic_payload); log(&format!( - "WFP setup panicked for {offline_username}: {error}; continuing elevated setup" + "WFP setup panicked for {offline_username}: {error}" )); - WfpSetupMetric { - outcome: WfpSetupMetricOutcome::Failure, - target_account: offline_username.to_string(), - installed_filter_count: 0, - error: Some(format!("panic: {error}")), - } + ( + WfpSetupMetric { + outcome: WfpSetupMetricOutcome::Failure, + target_account: offline_username.to_string(), + installed_filter_count: 0, + error: Some(format!("panic: {error}")), + }, + Err(anyhow::anyhow!( + "WFP setup panicked for {offline_username}: {error}" + )), + ) } }; emit_wfp_setup_metric_safely(codex_home, otel, offline_username, &metric, &mut log); + install_result }