Skip to content

bug fixes and perf improvements for elevated sandbox setup #8094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
iceweasel-oai merged 2 commits into from
Dec 16, 2025
Merged

bug fixes and perf improvements for elevated sandbox setup #8094

iceweasel-oai merged 2 commits into from
Dec 16, 2025

Conversation

@iceweasel-oai
Copy link
Collaborator

@iceweasel-oai iceweasel-oai commented Dec 16, 2025

a few fixes based on testing feedback:

  • ensure cap_sid file is always written by elevated setup.
  • always log to same file whether using elevated sandbox or not
  • process potentially slow ACE write operations in parallel
  • dedupe write roots so we don't double process any
  • don't try to create read/write ACEs on the same directories, due to race condition

@iceweasel-oai iceweasel-oai changed the title bug fixes and perf improvements for sandbox setup bug fixes and perf improvements for elevated sandbox setup Dec 16, 2025
dylan-hurd-oai
dylan-hurd-oai approved these changes Dec 16, 2025
View reviewed changes
Copy link
Collaborator

@dylan-hurd-oai dylan-hurd-oai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of non-blocking comments, but generally curious if it would be worth it to make more of this async!

codex-rs/windows-sandbox-rs/src/lib.rs
let cap_sid_path = cap_sid_file(codex_home);
let is_workspace_write = matches!(&policy, SandboxPolicy::WorkspaceWrite { .. });

if matches!(&policy, SandboxPolicy::DangerFullAccess) {
Copy link
Collaborator

@dylan-hurd-oai dylan-hurd-oai Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we're adding this to fail earlier - is there a reason not to add this check immediately after parse_policy?

codex-rs/windows-sandbox-rs/src/setup_main_win.rs
}

let (tx, rx) = mpsc::channel::<(PathBuf, Result<bool>)>();
std::thread::scope(|scope| {
Copy link
Collaborator

@dylan-hurd-oai dylan-hurd-oai Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

run_setup is getting pretty long here - worth splitting up at all? particularly since we're splitting out threads

codex-rs/windows-sandbox-rs/src/setup_main_win.rs
}
}

let res = unsafe { ensure_allow_write_aces(&root, &psids) };
Copy link
Collaborator

@dylan-hurd-oai dylan-hurd-oai Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we potentially encapsulate the psid *mut c_void to reduce the proliferation of unsafe calls It looks like ensure_allow_write_aces is only called here - maybe we could update it to take in a str/String and call convert_string_sid_to_sid inside there?

@iceweasel-oai iceweasel-oai merged commit 3d14da9 into main Dec 16, 2025
64 of 68 checks passed
@iceweasel-oai iceweasel-oai deleted the dev/iceweasel/sandbox-set-fixes branch December 16, 2025 17:48
@github-actions github-actions bot locked and limited conversation to collaborators Dec 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@dylan-hurd-oai dylan-hurd-oai dylan-hurd-oai approved these changes

Assignees

@dylan-hurd-oai dylan-hurd-oai

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iceweasel-oai @dylan-hurd-oai