use a junction for the cwd while read ACLs are being applied (#8444)

The elevated setup synchronously applies read/write ACLs to any workspace roots. However, until we apply *read* permission to the full path, powershell cannot use some roots as a cwd as it needs access to all parts of the path in order to apply it as the working directory for a command. The solution is, while the async read-ACL part of setup is running, use a "junction" that lives in C:\Users\CodexSandbox{Offline|Online} that points to the cwd. Once the read ACLs are applied, we stop using the junction. ----- this PR also removes some dead code and overly-verbose logging, and has some light refactoring to the ACL-related functions
2026-05-02 12:21:26 +03:00 · 2025-12-22 12:23:13 -08:00
parent 7809e36a92
commit d65fe38b2c
11 changed files with 273 additions and 324 deletions
--- a/codex-rs/windows-sandbox-rs/src/winutil.rs
+++ b/codex-rs/windows-sandbox-rs/src/winutil.rs
@@ -85,7 +85,6 @@ pub fn format_last_error(err: i32) -> String {
    }
 }

-#[allow(dead_code)]
 pub fn string_from_sid_bytes(sid: &[u8]) -> Result<String, String> {
    unsafe {
        let mut str_ptr: *mut u16 = std::ptr::null_mut();