consolidate world-writable-directories scanning. (#7234)

clean up the code for scanning for world writable directories One path (selecting a sandbox mode from /approvals) was using an incorrect method that did not use the new method of creating deny aces to prevent writing to those directories. Now all paths are the same.
2026-05-01 03:42:05 +03:00 · 2025-11-24 09:51:58 -08:00
parent b2cddec3d7
commit 486b1c4d9d
4 changed files with 53 additions and 112 deletions
--- a/codex-rs/windows-sandbox-rs/src/audit.rs
+++ b/codex-rs/windows-sandbox-rs/src/audit.rs
@@ -8,7 +8,6 @@ use crate::token::world_sid;
 use anyhow::anyhow;
 use crate::winutil::to_wide;
 use anyhow::Result;
-use std::collections::HashMap;
 use std::collections::HashSet;
 use std::ffi::c_void;
 use std::path::Path;
@@ -296,6 +295,32 @@ pub fn audit_everyone_writable(
    Ok(Vec::new())
 }

+pub fn apply_world_writable_scan_and_denies(
+    codex_home: &Path,
+    cwd: &Path,
+    env_map: &std::collections::HashMap<String, String>,
+    sandbox_policy: &SandboxPolicy,
+    logs_base_dir: Option<&Path>,
+) -> Result<()> {
+    let flagged = audit_everyone_writable(cwd, env_map, logs_base_dir)?;
+    if flagged.is_empty() {
+        return Ok(());
+    }
+    if let Err(err) = apply_capability_denies_for_world_writable(
+        codex_home,
+        &flagged,
+        sandbox_policy,
+        cwd,
+        logs_base_dir,
+    ) {
+        log_note(
+            &format!("AUDIT: failed to apply capability deny ACEs: {}", err),
+            logs_base_dir,
+        );
+    }
+    Ok(())
+}
+
 pub fn apply_capability_denies_for_world_writable(
    codex_home: &Path,
    flagged: &[PathBuf],
@@ -359,31 +384,6 @@ pub fn apply_capability_denies_for_world_writable(
    }
    Ok(())
 }
-
-fn normalize_windows_path_for_display(p: impl AsRef<Path>) -> String {
-    let canon = dunce::canonicalize(p.as_ref()).unwrap_or_else(|_| p.as_ref().to_path_buf());
-    canon.display().to_string().replace('/', "\\")
-}
-
-pub fn world_writable_warning_details(
-    codex_home: impl AsRef<Path>,
-    cwd: impl AsRef<Path>,
-) -> Option<(Vec<String>, usize, bool)> {
-    let env_map: HashMap<String, String> = std::env::vars().collect();
-    match audit_everyone_writable(cwd.as_ref(), &env_map, Some(codex_home.as_ref())) {
-        Ok(paths) if paths.is_empty() => None,
-        Ok(paths) => {
-            let as_strings: Vec<String> = paths
-                .iter()
-                .map(normalize_windows_path_for_display)
-                .collect();
-            let sample_paths: Vec<String> = as_strings.iter().take(3).cloned().collect();
-            let extra_count = as_strings.len().saturating_sub(sample_paths.len());
-            Some((sample_paths, extra_count, false))
-        }
-        Err(_) => Some((Vec::new(), 0, true)),
-    }
-}
 // Fast mask-based check: does the DACL contain any ACCESS_ALLOWED ACE for
 // Everyone that grants write after generic bits are expanded? Skips inherit-only
 // ACEs (do not apply to the current object).