implement per-workspace capability SIDs for workspace specific ACLs (#10189)

Today, there is a single capability SID that allows the sandbox to write to * workspace (cwd) * tmp directories if enabled * additional writable roots This change splits those up, so that each workspace has its own capability SID, while tmp and additional roots, which are installation-wide, are still governed by the "generic" capability SID This isolates workspaces from each other in terms of sandbox write access. Also allows us to protect <cwd>/.codex when codex runs in a specific <cwd>
2026-05-03 10:56:37 +00:00 · 2026-02-03 12:37:51 -08:00
parent 654fcb4962
commit aabe0f259c
11 changed files with 336 additions and 104 deletions
--- a/codex-rs/windows-sandbox-rs/src/workspace_acl.rs
+++ b/codex-rs/windows-sandbox-rs/src/workspace_acl.rs
@@ -0,0 +1,20 @@
+use crate::acl::add_deny_write_ace;
+use crate::path_normalization::canonicalize_path;
+use anyhow::Result;
+use std::ffi::c_void;
+use std::path::Path;
+
+pub fn is_command_cwd_root(root: &Path, canonical_command_cwd: &Path) -> bool {
+    canonicalize_path(root) == canonical_command_cwd
+}
+
+/// # Safety
+/// Caller must ensure `psid` is a valid SID pointer.
+pub unsafe fn protect_workspace_codex_dir(cwd: &Path, psid: *mut c_void) -> Result<bool> {
+    let cwd_codex = cwd.join(".codex");
+    if cwd_codex.is_dir() {
+        add_deny_write_ace(&cwd_codex, psid)
+    } else {
+        Ok(false)
+    }
+}