Promote Windows Sandbox (#11341)

1. Move Windows Sandbox NUX to right after trust directory screen 2. Don't offer read-only as an option in Sandbox NUX. Elevated/Legacy/Quit 3. Don't allow new untrusted directories. It's trust or quit 4. move experimental sandbox features to `[windows] sandbox="elevated|unelevatd"` 5. Copy tweaks = elevated -> default, non-elevated -> non-admin
2026-05-03 04:42:20 +03:00 · 2026-02-11 11:48:33 -08:00
parent 24e6adbda5
commit 87279de434
21 changed files with 727 additions and 395 deletions
--- a/codex-rs/windows-sandbox-rs/src/lib.rs
+++ b/codex-rs/windows-sandbox-rs/src/lib.rs
@@ -115,6 +115,8 @@ pub use token::get_current_token_for_restriction;
 #[cfg(target_os = "windows")]
 pub use windows_impl::run_windows_sandbox_capture;
 #[cfg(target_os = "windows")]
+pub use windows_impl::run_windows_sandbox_legacy_preflight;
+#[cfg(target_os = "windows")]
 pub use windows_impl::CaptureResult;
 #[cfg(target_os = "windows")]
 pub use winutil::string_from_sid_bytes;
@@ -130,6 +132,8 @@ pub use stub::apply_world_writable_scan_and_denies;
 #[cfg(not(target_os = "windows"))]
 pub use stub::run_windows_sandbox_capture;
 #[cfg(not(target_os = "windows"))]
+pub use stub::run_windows_sandbox_legacy_preflight;
+#[cfg(not(target_os = "windows"))]
 pub use stub::CaptureResult;

 #[cfg(target_os = "windows")]
@@ -502,6 +506,50 @@ mod windows_impl {
        })
    }

+    pub fn run_windows_sandbox_legacy_preflight(
+        sandbox_policy: &SandboxPolicy,
+        sandbox_policy_cwd: &Path,
+        codex_home: &Path,
+        cwd: &Path,
+        env_map: &HashMap<String, String>,
+    ) -> Result<()> {
+        let is_workspace_write = matches!(sandbox_policy, SandboxPolicy::WorkspaceWrite { .. });
+        if !is_workspace_write {
+            return Ok(());
+        }
+
+        ensure_codex_home_exists(codex_home)?;
+        let caps = load_or_create_cap_sids(codex_home)?;
+        let psid_generic =
+            unsafe { convert_string_sid_to_sid(&caps.workspace) }.expect("valid workspace SID");
+        let ws_sid = workspace_cap_sid_for_cwd(codex_home, cwd)?;
+        let psid_workspace =
+            unsafe { convert_string_sid_to_sid(&ws_sid) }.expect("valid workspace SID");
+        let current_dir = cwd.to_path_buf();
+        let AllowDenyPaths { allow, deny } =
+            compute_allow_paths(sandbox_policy, sandbox_policy_cwd, &current_dir, env_map);
+        let canonical_cwd = canonicalize_path(&current_dir);
+
+        unsafe {
+            for p in &allow {
+                let psid = if is_command_cwd_root(p, &canonical_cwd) {
+                    psid_workspace
+                } else {
+                    psid_generic
+                };
+                let _ = add_allow_ace(p, psid);
+            }
+            for p in &deny {
+                let _ = add_deny_write_ace(p, psid_generic);
+            }
+            allow_null_device(psid_generic);
+            allow_null_device(psid_workspace);
+            let _ = protect_workspace_codex_dir(&current_dir, psid_workspace);
+        }
+
+        Ok(())
+    }
+
    #[cfg(test)]
    mod tests {
        use super::should_apply_network_block;
@@ -570,4 +618,14 @@ mod stub {
    ) -> Result<()> {
        bail!("Windows sandbox is only available on Windows")
    }
+
+    pub fn run_windows_sandbox_legacy_preflight(
+        _sandbox_policy: &SandboxPolicy,
+        _sandbox_policy_cwd: &Path,
+        _codex_home: &Path,
+        _cwd: &Path,
+        _env_map: &HashMap<String, String>,
+    ) -> Result<()> {
+        bail!("Windows sandbox is only available on Windows")
+    }
 }