implement per-workspace capability SIDs for workspace specific ACLs (#10189)

Today, there is a single capability SID that allows the sandbox to write to * workspace (cwd) * tmp directories if enabled * additional writable roots This change splits those up, so that each workspace has its own capability SID, while tmp and additional roots, which are installation-wide, are still governed by the "generic" capability SID This isolates workspaces from each other in terms of sandbox write access. Also allows us to protect <cwd>/.codex when codex runs in a specific <cwd>
2026-05-03 04:42:20 +03:00 · 2026-02-03 12:37:51 -08:00
parent 654fcb4962
commit aabe0f259c
11 changed files with 336 additions and 104 deletions
--- a/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
+++ b/codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
@@ -12,6 +12,7 @@ use std::process::Stdio;
 use crate::allow::compute_allow_paths;
 use crate::allow::AllowDenyPaths;
 use crate::logging::log_note;
+use crate::path_normalization::canonical_path_key;
 use crate::policy::SandboxPolicy;
 use crate::setup_error::clear_setup_error_report;
 use crate::setup_error::failure;
@@ -82,6 +83,7 @@ pub fn run_setup_refresh(
        offline_username: OFFLINE_USERNAME.to_string(),
        online_username: ONLINE_USERNAME.to_string(),
        codex_home: codex_home.to_path_buf(),
+        command_cwd: command_cwd.to_path_buf(),
        read_roots,
        write_roots,
        real_user: std::env::var("USERNAME").unwrap_or_else(|_| "Administrators".to_string()),
@@ -259,6 +261,7 @@ struct ElevationPayload {
    offline_username: String,
    online_username: String,
    codex_home: PathBuf,
+    command_cwd: PathBuf,
    read_roots: Vec<PathBuf>,
    write_roots: Vec<PathBuf>,
    real_user: String,
@@ -475,6 +478,7 @@ pub fn run_elevated_setup(
        offline_username: OFFLINE_USERNAME.to_string(),
        online_username: ONLINE_USERNAME.to_string(),
        codex_home: codex_home.to_path_buf(),
+        command_cwd: command_cwd.to_path_buf(),
        read_roots,
        write_roots,
        real_user: std::env::var("USERNAME").unwrap_or_else(|_| "Administrators".to_string()),
@@ -517,14 +521,14 @@ fn build_payload_roots(
 fn filter_sensitive_write_roots(mut roots: Vec<PathBuf>, codex_home: &Path) -> Vec<PathBuf> {
    // Never grant capability write access to CODEX_HOME or anything under CODEX_HOME/.sandbox.
    // These locations contain sandbox control/state and must remain tamper-resistant.
-    let codex_home_key = crate::audit::normalize_path_key(codex_home);
-    let sbx_dir_key = crate::audit::normalize_path_key(&sandbox_dir(codex_home));
+    let codex_home_key = canonical_path_key(codex_home);
+    let sbx_dir_key = canonical_path_key(&sandbox_dir(codex_home));
    let sbx_dir_prefix = format!("{}/", sbx_dir_key.trim_end_matches('/'));
-    let secrets_dir_key = crate::audit::normalize_path_key(&sandbox_secrets_dir(codex_home));
+    let secrets_dir_key = canonical_path_key(&sandbox_secrets_dir(codex_home));
    let secrets_dir_prefix = format!("{}/", secrets_dir_key.trim_end_matches('/'));

    roots.retain(|root| {
-        let key = crate::audit::normalize_path_key(root);
+        let key = canonical_path_key(root);
        key != codex_home_key
            && key != sbx_dir_key
            && !key.starts_with(&sbx_dir_prefix)