Fail closed for elevated workspace-write on Windows

2026-05-06 04:17:03 +00:00 · 2026-05-04 09:40:10 -07:00
2 changed files with 49 additions and 0 deletions
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -1164,6 +1164,13 @@ pub(crate) fn resolve_windows_elevated_filesystem_overrides(
        return Ok(None);
    }

+    if matches!(sandbox_policy, SandboxPolicy::WorkspaceWrite { .. }) {
+        return Err(
+            "windows elevated sandbox cannot enforce workspace-write filesystem boundaries directly; refusing to run unsandboxed"
+                .to_string(),
+        );
+    }
+
    if !should_use_windows_restricted_token_sandbox(
        sandbox,
        sandbox_policy,
--- a/codex-rs/core/src/exec_tests.rs
+++ b/codex-rs/core/src/exec_tests.rs
@@ -761,6 +761,48 @@ fn windows_elevated_supports_split_write_read_carveouts() {
    );
 }

+#[test]
+fn windows_elevated_rejects_workspace_write_boundaries() {
+    let temp_dir = tempfile::TempDir::new().expect("tempdir");
+    let policy = SandboxPolicy::WorkspaceWrite {
+        writable_roots: vec![],
+        network_access: false,
+        exclude_tmpdir_env_var: true,
+        exclude_slash_tmp: true,
+    };
+    let file_system_policy = FileSystemSandboxPolicy::restricted(vec![
+        codex_protocol::permissions::FileSystemSandboxEntry {
+            path: codex_protocol::permissions::FileSystemPath::Special {
+                value: codex_protocol::permissions::FileSystemSpecialPath::Root,
+            },
+            access: codex_protocol::permissions::FileSystemAccessMode::Read,
+        },
+        codex_protocol::permissions::FileSystemSandboxEntry {
+            path: codex_protocol::permissions::FileSystemPath::Special {
+                value: codex_protocol::permissions::FileSystemSpecialPath::project_roots(
+                    /*subpath*/ None,
+                ),
+            },
+            access: codex_protocol::permissions::FileSystemAccessMode::Write,
+        },
+    ]);
+
+    assert_eq!(
+        unsupported_windows_restricted_token_sandbox_reason(
+            SandboxType::WindowsRestrictedToken,
+            &policy,
+            &file_system_policy,
+            NetworkSandboxPolicy::Restricted,
+            &temp_dir.path().abs(),
+            WindowsSandboxLevel::Elevated,
+        ),
+        Some(
+            "windows elevated sandbox cannot enforce workspace-write filesystem boundaries directly; refusing to run unsandboxed"
+                .to_string()
+        )
+    );
+}
+
 #[test]
 fn windows_elevated_rejects_unreadable_split_carveouts() {
    let temp_dir = tempfile::TempDir::new().expect("tempdir");