fix: support split carveouts in windows elevated sandbox#14568
Open
viyatb-oai wants to merge 10 commits intomainfrom
Open
fix: support split carveouts in windows elevated sandbox#14568viyatb-oai wants to merge 10 commits intomainfrom
viyatb-oai wants to merge 10 commits intomainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 46da179661
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
viyatb-oai
force-pushed
the
codex/viyatb/permissions-windows-fail-closed
branch
from
86c7c4e to
17c89eb
Compare
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
46da179 to
aa35d52
Compare
viyatb-oai
changed the base branch from
codex/viyatb/permissions-windows-fail-closed
to
main
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
aa35d52 to
d10d8b5
Compare
viyatb-oai
changed the base branch from
main
to
codex/viyatb/permissions-windows-fail-closed
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
980af52 to
3f1c117
Compare
viyatb-oai
added a commit
that referenced
this pull request
Mar 25, 2026
) ## Summary - keep legacy Windows restricted-token sandboxing as the supported baseline - support the split-policy subset that restricted-token can enforce directly today - support full-disk read, the same writable root set as legacy `WorkspaceWrite`, and extra read-only carveouts under those writable roots via additional deny-write ACLs - continue to fail closed for unsupported split-only shapes, including explicit unreadable (`none`) carveouts, reopened writable descendants under read-only carveouts, and writable root sets that do not match the legacy workspace roots ## Example Given a filesystem policy like: ```toml ":root" = "read" ":cwd" = "write" "./docs" = "read" ``` the restricted-token backend can keep the workspace writable while denying writes under `docs` by layering an extra deny-write carveout on top of the legacy workspace-write roots. A policy like: ```toml "/workspace" = "write" "/workspace/docs" = "read" "/workspace/docs/tmp" = "write" ``` still fails closed, because the unelevated backend cannot reopen the nested writable descendant safely. ## Stack -> fix: support split carveouts in windows restricted-token sandbox #14172 fix: support split carveouts in windows elevated sandbox #14568
Base automatically changed from
codex/viyatb/permissions-windows-fail-closed
to
main
March 25, 2026 05:54
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
3f1c117 to
d30f171
Compare
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
d30f171 to
c7b5c90
Compare
| let sandbox_dir = crate::setup::sandbox_dir(codex_home); | ||
| let needed_read = gather_read_roots(command_cwd, policy, codex_home); | ||
| let needed_write = gather_write_roots(policy, policy_cwd, command_cwd, env_map); | ||
| let needed_read = read_roots_override |
Collaborator
There was a problem hiding this comment.
gather_read_roots() attempts to provide read access to the sandbox user to a number of directories that we think it might need in order to actually be able to execute commands (like the real user's profile dir, some important windows directories, etc.)
I'm worried that if we just replace those with a set of config-supplied directories then some commands will fail in surprising ways. Unless, this feature is meant to be literally "the sandbox can read this directories and nothing else"?
Collaborator
Author
There was a problem hiding this comment.
good point, fixed it.
rhan-oai
pushed a commit
that referenced
this pull request
Mar 25, 2026
) ## Summary - keep legacy Windows restricted-token sandboxing as the supported baseline - support the split-policy subset that restricted-token can enforce directly today - support full-disk read, the same writable root set as legacy `WorkspaceWrite`, and extra read-only carveouts under those writable roots via additional deny-write ACLs - continue to fail closed for unsupported split-only shapes, including explicit unreadable (`none`) carveouts, reopened writable descendants under read-only carveouts, and writable root sets that do not match the legacy workspace roots ## Example Given a filesystem policy like: ```toml ":root" = "read" ":cwd" = "write" "./docs" = "read" ``` the restricted-token backend can keep the workspace writable while denying writes under `docs` by layering an extra deny-write carveout on top of the legacy workspace-write roots. A policy like: ```toml "/workspace" = "write" "/workspace/docs" = "read" "/workspace/docs/tmp" = "write" ``` still fails closed, because the unelevated backend cannot reopen the nested writable descendant safely. ## Stack -> fix: support split carveouts in windows restricted-token sandbox #14172 fix: support split carveouts in windows elevated sandbox #14568
…elevated-permissions-support # Conflicts: # codex-rs/cli/src/debug_sandbox.rs # codex-rs/core/src/exec.rs # codex-rs/windows-sandbox-rs/src/elevated_impl.rs # codex-rs/windows-sandbox-rs/src/identity.rs # codex-rs/windows-sandbox-rs/src/setup_main_win.rs # codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
Co-authored-by: Codex <[email protected]>
Co-authored-by: Codex <[email protected]>
| file_system_sandbox_policy, | ||
| network_sandbox_policy, | ||
| windows_restricted_token_filesystem_overlay: _windows_restricted_token_filesystem_overlay, | ||
| windows_elevated_filesystem_overrides: _windows_elevated_filesystem_overrides, |
Collaborator
There was a problem hiding this comment.
what do you think about merging these into one thing, and then each sandbox implementation (legacy vs elevated) can decide which of the fields it actually supports?
| /// Resolved filesystem overrides for the elevated Windows sandbox backend. | ||
| /// | ||
| /// Unlike the restricted-token path, elevated setup can provision explicit read | ||
| /// and write roots up front, so we pass the exact split-policy roots and any |
Collaborator
There was a problem hiding this comment.
might want to update this docstring to indicate that read roots include the gather_read_roots ones too
Co-authored-by: Codex <[email protected]>
Co-authored-by: Codex <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
none) carveouts and reopened writable descendants under read-only carveoutsExample
Given a split filesystem policy like:
the elevated backend now provisions the readable-root overrides, writable-root overrides, and extra deny-write carveouts during setup and refresh instead of collapsing back to the legacy workspace-only shape.
A policy like:
still fails closed, because the elevated backend does not reopen writable descendants under read-only carveouts yet.