fix: support split carveouts in windows elevated sandbox#14568
Merged
viyatb-oai merged 19 commits intomainfrom Apr 10, 2026
Merged
fix: support split carveouts in windows elevated sandbox#14568viyatb-oai merged 19 commits intomainfrom
viyatb-oai merged 19 commits intomainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 46da179661
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
viyatb-oai
force-pushed
the
codex/viyatb/permissions-windows-fail-closed
branch
from
86c7c4e to
17c89eb
Compare
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
46da179 to
aa35d52
Compare
viyatb-oai
changed the base branch from
codex/viyatb/permissions-windows-fail-closed
to
main
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
aa35d52 to
d10d8b5
Compare
viyatb-oai
changed the base branch from
main
to
codex/viyatb/permissions-windows-fail-closed
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
980af52 to
3f1c117
Compare
viyatb-oai
added a commit
that referenced
this pull request
Mar 25, 2026
) ## Summary - keep legacy Windows restricted-token sandboxing as the supported baseline - support the split-policy subset that restricted-token can enforce directly today - support full-disk read, the same writable root set as legacy `WorkspaceWrite`, and extra read-only carveouts under those writable roots via additional deny-write ACLs - continue to fail closed for unsupported split-only shapes, including explicit unreadable (`none`) carveouts, reopened writable descendants under read-only carveouts, and writable root sets that do not match the legacy workspace roots ## Example Given a filesystem policy like: ```toml ":root" = "read" ":cwd" = "write" "./docs" = "read" ``` the restricted-token backend can keep the workspace writable while denying writes under `docs` by layering an extra deny-write carveout on top of the legacy workspace-write roots. A policy like: ```toml "/workspace" = "write" "/workspace/docs" = "read" "/workspace/docs/tmp" = "write" ``` still fails closed, because the unelevated backend cannot reopen the nested writable descendant safely. ## Stack -> fix: support split carveouts in windows restricted-token sandbox #14172 fix: support split carveouts in windows elevated sandbox #14568
Base automatically changed from
codex/viyatb/permissions-windows-fail-closed
to
main
March 25, 2026 05:54
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
3f1c117 to
d30f171
Compare
viyatb-oai
force-pushed
the
codex/viyatb/windows-elevated-permissions-support
branch
from
d30f171 to
c7b5c90
Compare
rhan-oai
pushed a commit
that referenced
this pull request
Mar 25, 2026
) ## Summary - keep legacy Windows restricted-token sandboxing as the supported baseline - support the split-policy subset that restricted-token can enforce directly today - support full-disk read, the same writable root set as legacy `WorkspaceWrite`, and extra read-only carveouts under those writable roots via additional deny-write ACLs - continue to fail closed for unsupported split-only shapes, including explicit unreadable (`none`) carveouts, reopened writable descendants under read-only carveouts, and writable root sets that do not match the legacy workspace roots ## Example Given a filesystem policy like: ```toml ":root" = "read" ":cwd" = "write" "./docs" = "read" ``` the restricted-token backend can keep the workspace writable while denying writes under `docs` by layering an extra deny-write carveout on top of the legacy workspace-write roots. A policy like: ```toml "/workspace" = "write" "/workspace/docs" = "read" "/workspace/docs/tmp" = "write" ``` still fails closed, because the unelevated backend cannot reopen the nested writable descendant safely. ## Stack -> fix: support split carveouts in windows restricted-token sandbox #14172 fix: support split carveouts in windows elevated sandbox #14568
…elevated-permissions-support # Conflicts: # codex-rs/cli/src/debug_sandbox.rs # codex-rs/core/src/exec.rs # codex-rs/windows-sandbox-rs/src/elevated_impl.rs # codex-rs/windows-sandbox-rs/src/identity.rs # codex-rs/windows-sandbox-rs/src/setup_main_win.rs # codex-rs/windows-sandbox-rs/src/setup_orchestrator.rs
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
…elevated-permissions-support # Conflicts: # codex-rs/windows-sandbox-rs/src/identity.rs
Co-authored-by: Codex <noreply@openai.com>
…elevated-permissions-support
Co-authored-by: Codex <noreply@openai.com>
iceweasel-oai
approved these changes
Apr 9, 2026
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
viyatb-oai
deleted the
codex/viyatb/windows-elevated-permissions-support
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
none) carveouts and reopened writable descendants under read-only carveoutsExample
Given a split filesystem policy like:
the elevated backend now provisions the readable-root overrides, writable-root overrides, and extra deny-write carveouts during setup and refresh instead of collapsing back to the legacy workspace-only shape.
If a read-only carveout under a writable root is missing at setup time, elevated setup creates that carveout as an empty directory before applying its deny-write ACE; otherwise the sandboxed command could create it later and bypass the carveout. This is only for explicit policy carveouts. Best-effort workspace protections like
.codex/and.agents/still skip missing directories.A policy like:
still fails closed, because the elevated backend does not reopen writable descendants under read-only carveouts yet.