fix: support split carveouts in windows elevated sandbox (#14568)

## Summary - preserve legacy Windows elevated sandbox behavior for existing policies - add elevated-only support for split filesystem policies that can be represented as readable-root overrides, writable-root overrides, and extra deny-write carveouts - resolve those elevated filesystem overrides during sandbox transform and thread them through setup and policy refresh - keep failing closed for explicit unreadable (`none`) carveouts and reopened writable descendants under read-only carveouts - for explicit read-only-under-writable-root carveouts, materialize missing carveout directories during elevated setup before applying the deny-write ACL - document the elevated vs restricted-token support split in the core README ## Example Given a split filesystem policy like: ```toml ":root" = "read" ":cwd" = "write" "./docs" = "read" "C:/scratch" = "write" ``` the elevated backend now provisions the readable-root overrides, writable-root overrides, and extra deny-write carveouts during setup and refresh instead of collapsing back to the legacy workspace-only shape. If a read-only carveout under a writable root is missing at setup time, elevated setup creates that carveout as an empty directory before applying its deny-write ACE; otherwise the sandboxed command could create it later and bypass the carveout. This is only for explicit policy carveouts. Best-effort workspace protections like `.codex/` and `.agents/` still skip missing directories. A policy like: ```toml "/workspace" = "write" "/workspace/docs" = "read" "/workspace/docs/tmp" = "write" ``` still fails closed, because the elevated backend does not reopen writable descendants under read-only carveouts yet. --------- Co-authored-by: Codex <noreply@openai.com>
2026-05-01 18:06:47 +00:00 · 2026-04-09 17:34:52 -07:00
parent 32224878b3
commit b976e701a8
11 changed files with 744 additions and 95 deletions
--- a/codex-rs/windows-sandbox-rs/src/identity.rs
+++ b/codex-rs/windows-sandbox-rs/src/identity.rs
@@ -5,6 +5,7 @@ use crate::setup::gather_read_roots;
 use crate::setup::gather_write_roots;
 use crate::setup::offline_proxy_settings_from_env;
 use crate::setup::run_elevated_setup;
+use crate::setup::run_setup_refresh_with_overrides;
 use crate::setup::sandbox_users_path;
 use crate::setup::setup_marker_path;
 use crate::setup::SandboxNetworkIdentity;
@@ -19,6 +20,7 @@ use base64::Engine;
 use std::collections::HashMap;
 use std::fs;
 use std::path::Path;
+use std::path::PathBuf;

 #[derive(Debug, Clone)]
 struct SandboxIdentity {
@@ -127,17 +129,25 @@ fn select_identity(
    }))
 }

+#[allow(clippy::too_many_arguments)]
 pub fn require_logon_sandbox_creds(
    policy: &SandboxPolicy,
    policy_cwd: &Path,
    command_cwd: &Path,
    env_map: &HashMap<String, String>,
    codex_home: &Path,
+    read_roots_override: Option<&[PathBuf]>,
+    write_roots_override: Option<&[PathBuf]>,
+    deny_write_paths_override: &[PathBuf],
    proxy_enforced: bool,
 ) -> Result<SandboxCreds> {
    let sandbox_dir = crate::setup::sandbox_dir(codex_home);
-    let needed_read = gather_read_roots(command_cwd, policy, codex_home);
-    let needed_write = gather_write_roots(policy, policy_cwd, command_cwd, env_map);
+    let needed_read = read_roots_override
+        .map(<[PathBuf]>::to_vec)
+        .unwrap_or_else(|| gather_read_roots(command_cwd, policy, codex_home));
+    let needed_write = write_roots_override
+        .map(<[PathBuf]>::to_vec)
+        .unwrap_or_else(|| gather_write_roots(policy, policy_cwd, command_cwd, env_map));
    let network_identity = SandboxNetworkIdentity::from_policy(policy, proxy_enforced);
    let desired_offline_proxy_settings =
        offline_proxy_settings_from_env(env_map, network_identity);
@@ -187,20 +197,28 @@ pub fn require_logon_sandbox_creds(
                proxy_enforced,
            },
            crate::setup::SetupRootOverrides {
-                read_roots: Some(needed_read),
-                write_roots: Some(needed_write),
+                read_roots: Some(needed_read.clone()),
+                write_roots: Some(needed_write.clone()),
+                deny_write_paths: Some(deny_write_paths_override.to_vec()),
            },
        )?;
        identity = select_identity(network_identity, codex_home)?;
    }
    // Always refresh ACLs (non-elevated) for current roots via the setup binary.
-    crate::setup::run_setup_refresh(
-        policy,
-        policy_cwd,
-        command_cwd,
-        env_map,
-        codex_home,
-        proxy_enforced,
+    run_setup_refresh_with_overrides(
+        crate::setup::SandboxSetupRequest {
+            policy,
+            policy_cwd,
+            command_cwd,
+            env_map,
+            codex_home,
+            proxy_enforced,
+        },
+        crate::setup::SetupRootOverrides {
+            read_roots: Some(needed_read),
+            write_roots: Some(needed_write),
+            deny_write_paths: Some(deny_write_paths_override.to_vec()),
+        },
    )?;
    let identity = identity.ok_or_else(|| {
        anyhow!(