Skip Windows sandbox for danger-full-access

2026-05-22 03:54:18 +00:00 · 2026-05-04 09:42:03 -07:00
2 changed files with 38 additions and 1 deletions
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -482,7 +482,7 @@ async fn get_raw_output_result(
    >,
 ) -> Result<RawExecToolCallOutput> {
    #[cfg(target_os = "windows")]
-    if sandbox == SandboxType::WindowsRestrictedToken {
+    if should_route_through_windows_sandbox(sandbox, sandbox_policy) {
        return exec_windows_sandbox(params, sandbox_policy, windows_sandbox_filesystem_overrides)
            .await;
    }
@@ -490,6 +490,17 @@ async fn get_raw_output_result(
    exec(params, network_sandbox_policy, stdout_stream, after_spawn).await
 }

+fn should_route_through_windows_sandbox(
+    sandbox: SandboxType,
+    sandbox_policy: &SandboxPolicy,
+) -> bool {
+    sandbox == SandboxType::WindowsRestrictedToken
+        && !matches!(
+            sandbox_policy,
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+        )
+}
+
 #[cfg(target_os = "windows")]
 fn extract_create_process_as_user_error_code(err: &str) -> Option<String> {
    let marker = "CreateProcessAsUserW failed: ";
--- a/codex-rs/core/src/exec_tests.rs
+++ b/codex-rs/core/src/exec_tests.rs
@@ -394,6 +394,32 @@ fn windows_restricted_token_skips_external_sandbox_policies() {
    );
 }

+#[test]
+fn windows_exec_routing_skips_danger_full_access_policies() {
+    assert!(!should_route_through_windows_sandbox(
+        SandboxType::WindowsRestrictedToken,
+        &SandboxPolicy::DangerFullAccess,
+    ));
+}
+
+#[test]
+fn windows_exec_routing_skips_external_sandbox_policies() {
+    assert!(!should_route_through_windows_sandbox(
+        SandboxType::WindowsRestrictedToken,
+        &SandboxPolicy::ExternalSandbox {
+            network_access: codex_protocol::protocol::NetworkAccess::Restricted,
+        },
+    ));
+}
+
+#[test]
+fn windows_exec_routing_keeps_restricted_policies() {
+    assert!(should_route_through_windows_sandbox(
+        SandboxType::WindowsRestrictedToken,
+        &SandboxPolicy::new_workspace_write_policy(),
+    ));
+}
+
 #[test]
 fn windows_restricted_token_runs_for_legacy_restricted_policies() {
    let policy = SandboxPolicy::new_read_only_policy();