iceweasel-oai aabe0f259c implement per-workspace capability SIDs for workspace specific ACLs (#10189) ...

Today, there is a single capability SID that allows the sandbox to write
to
* workspace (cwd)
* tmp directories if enabled
* additional writable roots

This change splits those up, so that each workspace has its own
capability SID, while tmp and additional roots, which are
installation-wide, are still governed by the "generic" capability SID

This isolates workspaces from each other in terms of sandbox write
access.
Also allows us to protect <cwd>/.codex when codex runs in a specific
<cwd>

2026-02-03 12:37:51 -08:00

..

src

implement per-workspace capability SIDs for workspace specific ACLs (#10189)

2026-02-03 12:37:51 -08:00

BUILD.bazel

feat: add support for building with Bazel (#8875)

2026-01-09 11:09:43 -08:00

build.rs

Elevated Sandbox 2 (#7792)

2025-12-10 21:23:16 -08:00

Cargo.lock

Windows Sandbox - Alpha version (#4905)

2025-10-30 15:51:57 -07:00

Cargo.toml

fix: handle utf-8 in windows sandbox logs (#8647)

2026-01-26 15:11:27 -08:00

codex-windows-sandbox-setup.manifest

Elevated Sandbox 2 (#7792)

2025-12-10 21:23:16 -08:00

sandbox_smoketests.py

smoketest for browser vuln, rough draft of Windows security doc (#6822)

2025-11-18 16:43:34 -08:00