Elevated Sandbox 4 (#7889)

2026-04-28 16:45:54 +00:00 · 2025-12-12 12:30:38 -08:00
parent 570eb5fe78
commit 677732ff65
10 changed files with 739 additions and 128 deletions
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -136,7 +136,9 @@ async fn run_command_under_sandbox(
    if let SandboxType::Windows = sandbox_type {
        #[cfg(target_os = "windows")]
        {
+            use codex_core::features::Feature;
            use codex_windows_sandbox::run_windows_sandbox_capture;
+            use codex_windows_sandbox::run_windows_sandbox_capture_elevated;

            let policy_str = serde_json::to_string(&config.sandbox_policy)?;

@@ -145,18 +147,32 @@ async fn run_command_under_sandbox(
            let env_map = env.clone();
            let command_vec = command.clone();
            let base_dir = config.codex_home.clone();
+            let use_elevated = config.features.enabled(Feature::WindowsSandbox)
+                && config.features.enabled(Feature::WindowsSandboxElevated);

            // Preflight audit is invoked elsewhere at the appropriate times.
            let res = tokio::task::spawn_blocking(move || {
-                run_windows_sandbox_capture(
-                    policy_str.as_str(),
-                    &sandbox_cwd,
-                    base_dir.as_path(),
-                    command_vec,
-                    &cwd_clone,
-                    env_map,
-                    None,
-                )
+                if use_elevated {
+                    run_windows_sandbox_capture_elevated(
+                        policy_str.as_str(),
+                        &sandbox_cwd,
+                        base_dir.as_path(),
+                        command_vec,
+                        &cwd_clone,
+                        env_map,
+                        None,
+                    )
+                } else {
+                    run_windows_sandbox_capture(
+                        policy_str.as_str(),
+                        &sandbox_cwd,
+                        base_dir.as_path(),
+                        command_vec,
+                        &cwd_clone,
+                        env_map,
+                        None,
+                    )
+                }
            })
            .await;