fix: support split carveouts in windows restricted-token sandbox

codex-rs/app-server/src/command_exec.rs

@@ -734,21 +734,21 @@ mod tests {
             access: ReadOnlyAccess::FullAccess,
             network_access: false,
         };
-        ExecRequest {
-            command: vec!["cmd".to_string()],
-            cwd: PathBuf::from("."),
-            env: HashMap::new(),
-            network: None,
-            expiration: ExecExpiration::DefaultTimeout,
-            capture_policy: codex_core::exec::ExecCapturePolicy::ShellTool,
-            sandbox: SandboxType::WindowsRestrictedToken,
-            windows_sandbox_level: WindowsSandboxLevel::Disabled,
-            windows_sandbox_private_desktop: false,
-            sandbox_policy: sandbox_policy.clone(),
-            file_system_sandbox_policy: FileSystemSandboxPolicy::from(&sandbox_policy),
-            network_sandbox_policy: NetworkSandboxPolicy::from(&sandbox_policy),
-            arg0: None,
-        }
+        ExecRequest::new(
+            vec!["cmd".to_string()],
+            PathBuf::from("."),
+            HashMap::new(),
+            /*network*/ None,
+            ExecExpiration::DefaultTimeout,
+            codex_core::exec::ExecCapturePolicy::ShellTool,
+            SandboxType::WindowsRestrictedToken,
+            WindowsSandboxLevel::Disabled,
+            /*windows_sandbox_private_desktop*/ false,
+            sandbox_policy.clone(),
+            FileSystemSandboxPolicy::from(&sandbox_policy),
+            NetworkSandboxPolicy::from(&sandbox_policy),
+            /*arg0*/ None,
+        )
     }
 
     #[tokio::test]
@@ -846,21 +846,21 @@ mod tests {
                 outgoing: Arc::new(OutgoingMessageSender::new(tx)),
                 request_id: request_id.clone(),
                 process_id: Some("proc-100".to_string()),
-                exec_request: ExecRequest {
-                    command: vec!["sh".to_string(), "-lc".to_string(), "sleep 30".to_string()],
-                    cwd: PathBuf::from("."),
-                    env: HashMap::new(),
-                    network: None,
-                    expiration: ExecExpiration::Cancellation(CancellationToken::new()),
-                    capture_policy: codex_core::exec::ExecCapturePolicy::ShellTool,
-                    sandbox: SandboxType::None,
-                    windows_sandbox_level: WindowsSandboxLevel::Disabled,
-                    windows_sandbox_private_desktop: false,
-                    sandbox_policy: sandbox_policy.clone(),
-                    file_system_sandbox_policy: FileSystemSandboxPolicy::from(&sandbox_policy),
-                    network_sandbox_policy: NetworkSandboxPolicy::from(&sandbox_policy),
-                    arg0: None,
-                },
+                exec_request: ExecRequest::new(
+                    vec!["sh".to_string(), "-lc".to_string(), "sleep 30".to_string()],
+                    PathBuf::from("."),
+                    HashMap::new(),
+                    /*network*/ None,
+                    ExecExpiration::Cancellation(CancellationToken::new()),
+                    codex_core::exec::ExecCapturePolicy::ShellTool,
+                    SandboxType::None,
+                    WindowsSandboxLevel::Disabled,
+                    /*windows_sandbox_private_desktop*/ false,
+                    sandbox_policy.clone(),
+                    FileSystemSandboxPolicy::from(&sandbox_policy),
+                    NetworkSandboxPolicy::from(&sandbox_policy),
+                    /*arg0*/ None,
+                ),
                 started_network_proxy: None,
                 tty: false,
                 stream_stdin: false,

codex-rs/core/README.md

@@ -51,7 +51,6 @@ Expects the binary containing `codex-core` to run the equivalent of `codex sandb
 Legacy `SandboxPolicy` / `sandbox_mode` configs are still supported on Linux.
 They can continue to use the legacy Landlock path when the split filesystem
 policy is sandbox-equivalent to the legacy model after `cwd` resolution.
-
 Split filesystem policies that need direct `FileSystemSandboxPolicy`
 enforcement, such as read-only or denied carveouts under a broader writable
 root, automatically route through bubblewrap. The legacy Landlock path is used
@@ -83,13 +82,18 @@ backend-managed system read roots required for basic execution, such as
 `C:\ProgramData`. When it is `false`, those extra system roots are omitted.
 
 The unelevated restricted-token backend still supports the legacy full-read
-Windows model only. Restricted read-only policies continue to fail closed there
-instead of running with weaker read enforcement.
+Windows model for legacy `ReadOnly` and `WorkspaceWrite` behavior. It also
+supports a narrow split-filesystem subset: full-read split policies whose
+writable roots still match the legacy `WorkspaceWrite` root set, but add extra
+read-only carveouts under those writable roots.
 
 New `[permissions]` / split filesystem policies remain supported on Windows
 only when they round-trip through the legacy `SandboxPolicy` model without
-changing semantics. Richer split-only carveouts still fail closed instead of
-running with weaker enforcement.
+changing semantics. Policies that would require direct read restriction,
+explicit unreadable carveouts, reopened writable descendants under read-only
+carveouts, different writable root sets, or split carveout support in the
+elevated setup/runner backend still fail closed instead of running with weaker
+enforcement.
 
 ### All Platforms