fix: introduce AbsolutePathBuf as part of sandbox config (#7856)

Changes the `writable_roots` field of the `WorkspaceWrite` variant of the `SandboxPolicy` enum from `Vec<PathBuf>` to `Vec<AbsolutePathBuf>`. This is helpful because now callers can be sure the value is an absolute path rather than a relative one. (Though when using an absolute path in a Seatbelt config policy, we still have to _canonicalize_ it first.) Because `writable_roots` can be read from a config file, it is important that we are able to resolve relative paths properly using the parent folder of the config file as the base path.
2026-05-02 20:32:04 +03:00 · 2025-12-12 15:25:22 -08:00
parent 3d07cd6c0c
commit 642b7566df
34 changed files with 277 additions and 122 deletions
--- a/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
+++ b/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
@@ -59,7 +59,7 @@ pub fn run_setup_refresh(
        offline_username: OFFLINE_USERNAME.to_string(),
        online_username: ONLINE_USERNAME.to_string(),
        codex_home: codex_home.to_path_buf(),
-        read_roots: gather_read_roots(command_cwd, policy, policy_cwd),
+        read_roots: gather_read_roots(command_cwd, policy),
        write_roots: gather_write_roots(policy, policy_cwd, command_cwd, env_map),
        real_user: std::env::var("USERNAME").unwrap_or_else(|_| "Administrators".to_string()),
        refresh_only: true,
@@ -183,11 +183,7 @@ fn canonical_existing(paths: &[PathBuf]) -> Vec<PathBuf> {
        .collect()
 }

-pub(crate) fn gather_read_roots(
-    command_cwd: &Path,
-    policy: &SandboxPolicy,
-    policy_cwd: &Path,
-) -> Vec<PathBuf> {
+pub(crate) fn gather_read_roots(command_cwd: &Path, policy: &SandboxPolicy) -> Vec<PathBuf> {
    let mut roots: Vec<PathBuf> = Vec::new();
    for p in [
        PathBuf::from(r"C:\Windows"),
@@ -203,12 +199,7 @@ pub(crate) fn gather_read_roots(
    roots.push(command_cwd.to_path_buf());
    if let SandboxPolicy::WorkspaceWrite { writable_roots, .. } = policy {
        for root in writable_roots {
-            let candidate = if root.is_absolute() {
-                root.clone()
-            } else {
-                policy_cwd.join(root)
-            };
-            roots.push(candidate);
+            roots.push(root.to_path_buf());
        }
    }
    canonical_existing(&roots)
@@ -375,7 +366,7 @@ pub fn run_elevated_setup(
    let read_roots = if let Some(roots) = read_roots_override {
        roots
    } else {
-        gather_read_roots(command_cwd, policy, policy_cwd)
+        gather_read_roots(command_cwd, policy)
    };
    let payload = ElevationPayload {
        version: SETUP_VERSION,