Improve world-writable scan (#6381)

1. scan many more directories since it's much faster than the original implementation 2. limit overall scan time to 2s 3. skip some directories that are noisy - ApplicationData, Installer, etc.
2025-11-07 21:28:55 -08:00
parent a2fdfce02a
commit 917f39ec12
7 changed files with 66 additions and 20 deletions
--- a/codex-rs/windows-sandbox-rs/src/lib.rs
+++ b/codex-rs/windows-sandbox-rs/src/lib.rs
@@ -171,8 +171,9 @@ mod windows_impl {
    pub fn preflight_audit_everyone_writable(
        cwd: &Path,
        env_map: &HashMap<String, String>,
+        logs_base_dir: Option<&Path>,
    ) -> Result<()> {
-        audit::audit_everyone_writable(cwd, env_map)
+        audit::audit_everyone_writable(cwd, env_map, logs_base_dir)
    }

    pub fn run_windows_sandbox_capture(
@@ -436,6 +437,7 @@ mod stub {
    pub fn preflight_audit_everyone_writable(
        _cwd: &Path,
        _env_map: &HashMap<String, String>,
+        _logs_base_dir: Option<&Path>,
    ) -> Result<()> {
        bail!("Windows sandbox is only available on Windows")
    }