clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-17 09:43:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(windows-sandbox): preserve deny-read ACL ordering

Browse Source 
Co-authored-by: Codex <noreply@openai.com>
This commit is contained in:
viyatb-oai
2026-05-09 18:40:37 +00:00
parent a49f2e73cb
commit b23d2e0d32
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
codex-rs/windows-sandbox-rs/src/spawn_prep.rs
View File

@@ -233,19 +233,6 @@ pub(crate) fn apply_legacy_session_acl_rules(
let mut guards: Vec<PathBuf> = Vec::new();
let canonical_cwd = canonicalize_path(current_dir);
unsafe {
let applied_deny_read_paths = if persist_aces {
sync_persistent_deny_read_acls(
codex_home,
cap_sid_str,
additional_deny_read_paths,
psid_generic.as_ptr(),
)?
} else {
apply_deny_read_acls(additional_deny_read_paths, psid_generic.as_ptr())?
};
if !persist_aces {
guards.extend(applied_deny_read_paths);
}
for path in additional_deny_write_paths {
// Explicit carveouts must exist before the command starts so the
// sandbox cannot create them under a writable parent first.
@@ -275,6 +262,19 @@ pub(crate) fn apply_legacy_session_acl_rules(
guards.push(p.clone());
}
}
let applied_deny_read_paths = if persist_aces {
sync_persistent_deny_read_acls(
codex_home,
cap_sid_str,
additional_deny_read_paths,
psid_generic.as_ptr(),
)?
} else {
apply_deny_read_acls(additional_deny_read_paths, psid_generic.as_ptr())?
};
if !persist_aces {
guards.extend(applied_deny_read_paths);
}
allow_null_device(psid_generic.as_ptr());
if let Some(psid_workspace) = psid_workspace {
allow_null_device(psid_workspace.as_ptr());