Use a private desktop for Windows sandbox instead of Winsta0\Default (#14400)

## Summary - launch Windows sandboxed children on a private desktop instead of `Winsta0\Default` - make private desktop the default while keeping `windows.sandbox_private_desktop=false` as the escape hatch - centralize process launch through the shared `create_process_as_user(...)` path - scope the private desktop ACL to the launching logon SID ## Why Today sandboxed Windows commands run on the visible shared desktop. That leaves an avoidable same-desktop attack surface for window interaction, spoofing, and related UI/input issues. This change moves sandboxed commands onto a dedicated per-launch desktop by default so the sandbox no longer shares `Winsta0\Default` with the user session. The implementation stays conservative on security with no silent fallback back to `Winsta0\Default` If private-desktop setup fails on a machine, users can still opt out explicitly with `windows.sandbox_private_desktop=false`. ## Validation - `cargo build -p codex-cli` - elevated-path `codex exec` desktop-name probe returned `CodexSandboxDesktop-*` - elevated-path `codex exec` smoke sweep for shell commands, nested `pwsh`, jobs, and hidden `notepad` launch - unelevated-path full private-desktop compatibility sweep via `codex exec` with `-c windows.sandbox=unelevated`
2026-05-06 06:12:59 +03:00 · 2026-03-13 10:13:39 -07:00
parent 9c9867c9fa
commit 6b3d82daca
30 changed files with 416 additions and 70 deletions
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -81,6 +81,7 @@ pub struct ExecParams {
    pub network: Option<NetworkProxy>,
    pub sandbox_permissions: SandboxPermissions,
    pub windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel,
+    pub windows_sandbox_private_desktop: bool,
    pub justification: Option<String>,
    pub arg0: Option<String>,
 }
@@ -231,6 +232,7 @@ pub fn build_exec_request(
        network,
        sandbox_permissions,
        windows_sandbox_level,
+        windows_sandbox_private_desktop,
        justification,
        arg0: _,
    } = params;
@@ -271,6 +273,7 @@ pub fn build_exec_request(
            codex_linux_sandbox_exe: codex_linux_sandbox_exe.as_ref(),
            use_legacy_landlock,
            windows_sandbox_level,
+            windows_sandbox_private_desktop,
        })
        .map_err(CodexErr::from)?;
    Ok(exec_req)
@@ -290,6 +293,7 @@ pub(crate) async fn execute_exec_request(
        expiration,
        sandbox,
        windows_sandbox_level,
+        windows_sandbox_private_desktop,
        sandbox_permissions,
        sandbox_policy: _sandbox_policy_from_env,
        file_system_sandbox_policy,
@@ -307,6 +311,7 @@ pub(crate) async fn execute_exec_request(
        network: network.clone(),
        sandbox_permissions,
        windows_sandbox_level,
+        windows_sandbox_private_desktop,
        justification,
        arg0,
    };
@@ -409,6 +414,7 @@ async fn exec_windows_sandbox(
        network,
        expiration,
        windows_sandbox_level,
+        windows_sandbox_private_desktop,
        ..
    } = params;
    if let Some(network) = network.as_ref() {
@@ -443,6 +449,7 @@ async fn exec_windows_sandbox(
                &cwd,
                env,
                timeout_ms,
+                windows_sandbox_private_desktop,
            )
        } else {
            run_windows_sandbox_capture(
@@ -453,6 +460,7 @@ async fn exec_windows_sandbox(
                &cwd,
                env,
                timeout_ms,
+                windows_sandbox_private_desktop,
            )
        }
    })