From b3d65de98caae7420f9e60bd38a0249b4e35cd06 Mon Sep 17 00:00:00 2001 From: viyatb-oai Date: Fri, 8 May 2026 10:16:10 -0700 Subject: [PATCH] fix(sandbox): adapt windows deny-read parity rebase Co-authored-by: Codex noreply@openai.com --- codex-rs/core/src/exec.rs | 13 +------------ codex-rs/core/src/exec_tests.rs | 8 ++++++-- codex-rs/windows-sandbox-rs/src/lib.rs | 4 ++-- 3 files changed, 9 insertions(+), 16 deletions(-) diff --git a/codex-rs/core/src/exec.rs b/codex-rs/core/src/exec.rs index 8a996f4ad3..ff2d958efd 100644 --- a/codex-rs/core/src/exec.rs +++ b/codex-rs/core/src/exec.rs @@ -1198,12 +1198,6 @@ pub(crate) fn resolve_windows_elevated_filesystem_overrides( .needs_direct_runtime_enforcement(network_sandbox_policy, sandbox_policy_cwd); let normalize_path = |path: PathBuf| dunce::canonicalize(&path).unwrap_or(path); let legacy_writable_roots = sandbox_policy.get_writable_roots_with_cwd(sandbox_policy_cwd); - let legacy_readable_root_set: BTreeSet = sandbox_policy - .get_readable_roots_with_cwd(sandbox_policy_cwd) - .into_iter() - .map(codex_utils_absolute_path::AbsolutePathBuf::into_path_buf) - .map(&normalize_path) - .collect(); let legacy_root_paths: BTreeSet = legacy_writable_roots .iter() .map(|root| normalize_path(root.root.to_path_buf())) @@ -1214,7 +1208,6 @@ pub(crate) fn resolve_windows_elevated_filesystem_overrides( .map(codex_utils_absolute_path::AbsolutePathBuf::into_path_buf) .map(&normalize_path) .collect(); - let split_readable_root_set: BTreeSet = split_readable_roots.iter().cloned().collect(); let split_root_paths: Vec = split_writable_roots .iter() .map(|root| normalize_path(root.root.to_path_buf())) @@ -1227,11 +1220,7 @@ pub(crate) fn resolve_windows_elevated_filesystem_overrides( // additional deny ACLs layered on top. let split_has_root_read_access = windows_policy_has_root_read_access(file_system_sandbox_policy, sandbox_policy_cwd); - let matches_legacy_read_access = - split_has_root_read_access == sandbox_policy.has_full_disk_read_access(); - let read_roots_override = if matches_legacy_read_access - && (split_has_root_read_access || split_readable_root_set == legacy_readable_root_set) - { + let read_roots_override = if split_has_root_read_access { None } else { Some(split_readable_roots) diff --git a/codex-rs/core/src/exec_tests.rs b/codex-rs/core/src/exec_tests.rs index 7157a319d8..457cec15ac 100644 --- a/codex-rs/core/src/exec_tests.rs +++ b/codex-rs/core/src/exec_tests.rs @@ -678,7 +678,6 @@ fn windows_restricted_token_supports_unreadable_split_carveouts() { std::fs::create_dir_all(blocked.as_path()).expect("create blocked"); let policy = SandboxPolicy::WorkspaceWrite { writable_roots: vec![], - read_only_access: codex_protocol::protocol::ReadOnlyAccess::FullAccess, network_access: false, exclude_tmpdir_env_var: true, exclude_slash_tmp: true, @@ -692,7 +691,9 @@ fn windows_restricted_token_supports_unreadable_split_carveouts() { }, codex_protocol::permissions::FileSystemSandboxEntry { path: codex_protocol::permissions::FileSystemPath::Special { - value: codex_protocol::permissions::FileSystemSpecialPath::CurrentWorkingDirectory, + value: codex_protocol::permissions::FileSystemSpecialPath::project_roots( + /*subpath*/ None, + ), }, access: codex_protocol::permissions::FileSystemAccessMode::Write, }, @@ -715,6 +716,7 @@ fn windows_restricted_token_supports_unreadable_split_carveouts() { ), Ok(Some(WindowsSandboxFilesystemOverrides { read_roots_override: None, + read_roots_include_platform_defaults: false, write_roots_override: None, additional_deny_read_paths: vec![blocked.clone()], additional_deny_write_paths: vec![blocked], @@ -865,6 +867,7 @@ fn windows_elevated_supports_unreadable_split_carveouts() { ), Ok(Some(WindowsSandboxFilesystemOverrides { read_roots_override: None, + read_roots_include_platform_defaults: false, write_roots_override: None, additional_deny_read_paths: vec![ codex_utils_absolute_path::AbsolutePathBuf::from_absolute_path( @@ -926,6 +929,7 @@ fn windows_elevated_supports_unreadable_globs() { ), Ok(Some(WindowsSandboxFilesystemOverrides { read_roots_override: None, + read_roots_include_platform_defaults: false, write_roots_override: None, additional_deny_read_paths: vec![ codex_utils_absolute_path::AbsolutePathBuf::from_absolute_path(secret) diff --git a/codex-rs/windows-sandbox-rs/src/lib.rs b/codex-rs/windows-sandbox-rs/src/lib.rs index 887b29426f..35497de2bd 100644 --- a/codex-rs/windows-sandbox-rs/src/lib.rs +++ b/codex-rs/windows-sandbox-rs/src/lib.rs @@ -106,8 +106,6 @@ pub use conpty::ConptyInstance; #[cfg(target_os = "windows")] pub use conpty::spawn_conpty_process_as_user; #[cfg(target_os = "windows")] -pub use desktop::LaunchDesktop; -#[cfg(target_os = "windows")] pub use deny_read_acl::DenyReadAclRecordKind; #[cfg(target_os = "windows")] pub use deny_read_acl::apply_deny_read_acls; @@ -119,6 +117,8 @@ pub use deny_read_acl::plan_deny_read_acl_paths; pub use deny_read_acl::write_persistent_deny_read_acl_record; pub use deny_read_resolver::resolve_windows_deny_read_paths; #[cfg(target_os = "windows")] +pub use desktop::LaunchDesktop; +#[cfg(target_os = "windows")] pub use dpapi::protect as dpapi_protect; #[cfg(target_os = "windows")] pub use dpapi::unprotect as dpapi_unprotect;