use a junction for the cwd while read ACLs are being applied (#8444)

The elevated setup synchronously applies read/write ACLs to any workspace roots. However, until we apply *read* permission to the full path, powershell cannot use some roots as a cwd as it needs access to all parts of the path in order to apply it as the working directory for a command. The solution is, while the async read-ACL part of setup is running, use a "junction" that lives in C:\Users\CodexSandbox{Offline|Online} that points to the cwd. Once the read ACLs are applied, we stop using the junction. ----- this PR also removes some dead code and overly-verbose logging, and has some light refactoring to the ACL-related functions
2026-05-03 04:42:20 +03:00 · 2025-12-22 12:23:13 -08:00
parent 7809e36a92
commit d65fe38b2c
11 changed files with 273 additions and 324 deletions
--- a/codex-rs/windows-sandbox-rs/src/lib.rs
+++ b/codex-rs/windows-sandbox-rs/src/lib.rs
@@ -20,6 +20,8 @@ pub use acl::allow_null_device;
 #[cfg(target_os = "windows")]
 pub use acl::ensure_allow_mask_aces;
 #[cfg(target_os = "windows")]
+pub use acl::ensure_allow_mask_aces_with_inheritance;
+#[cfg(target_os = "windows")]
 pub use acl::ensure_allow_write_aces;
 #[cfg(target_os = "windows")]
 pub use acl::fetch_dacl_handle;