valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e81f1900da465f1e65c3edfe212be715d707448
llmx/codex-rs/windows-sandbox-rs/src/token.rs
iceweasel-oai 87cce88f48 Windows Sandbox - Alpha version (#4905) 
- Added the new codex-windows-sandbox crate that builds both a library
entry point (run_windows_sandbox_capture) and a CLI executable to launch
commands inside a Windows restricted-token sandbox, including ACL
management, capability SID provisioning, network lockdown, and output
capture
(windows-sandbox-rs/src/lib.rs:167, windows-sandbox-rs/src/main.rs:54).
- Introduced the experimental WindowsSandbox feature flag and wiring so
Windows builds can opt into the sandbox:
SandboxType::WindowsRestrictedToken, the in-process execution path, and
platform sandbox selection now honor the flag (core/src/features.rs:47,
core/src/config.rs:1224, core/src/safety.rs:19,
core/src/sandboxing/mod.rs:69, core/src/exec.rs:79,
core/src/exec.rs:172).
- Updated workspace metadata to include the new crate and its
Windows-specific dependencies so the core crate can link against it
(codex-rs/
    Cargo.toml:91, core/Cargo.toml:86).
- Added a PowerShell bootstrap script that installs the Windows
toolchain, required CLI utilities, and builds the workspace to ease
development
    on the platform (scripts/setup-windows.ps1:1).
- Landed a Python smoke-test suite that exercises
read-only/workspace-write policies, ACL behavior, and network denial for
the Windows sandbox
    binary (windows-sandbox-rs/sandbox_smoketests.py:1).
2025-10-30 15:51:57 -07:00

273 lines
9.3 KiB
Rust
Raw Blame History

use crate::winutil::to_wide;
use anyhow::anyhow;
use anyhow::Result;
use std::ffi::c_void;
use windows_sys::Win32::Foundation::CloseHandle;
use windows_sys::Win32::Foundation::GetLastError;
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::Foundation::LUID;
use windows_sys::Win32::Security::AdjustTokenPrivileges;
use windows_sys::Win32::Security::CopySid;
use windows_sys::Win32::Security::CreateRestrictedToken;
use windows_sys::Win32::Security::CreateWellKnownSid;
use windows_sys::Win32::Security::GetLengthSid;
use windows_sys::Win32::Security::GetTokenInformation;
use windows_sys::Win32::Security::LookupPrivilegeValueW;
use windows_sys::Win32::Security::TokenGroups;
use windows_sys::Win32::Security::SID_AND_ATTRIBUTES;
use windows_sys::Win32::Security::TOKEN_ADJUST_DEFAULT;
use windows_sys::Win32::Security::TOKEN_ADJUST_PRIVILEGES;
use windows_sys::Win32::Security::TOKEN_ADJUST_SESSIONID;
use windows_sys::Win32::Security::TOKEN_ASSIGN_PRIMARY;
use windows_sys::Win32::Security::TOKEN_DUPLICATE;
use windows_sys::Win32::Security::TOKEN_PRIVILEGES;
use windows_sys::Win32::Security::TOKEN_QUERY;
use windows_sys::Win32::System::Threading::GetCurrentProcess;
const DISABLE_MAX_PRIVILEGE: u32 = 0x01;
const LUA_TOKEN: u32 = 0x04;
const WRITE_RESTRICTED: u32 = 0x08;
const WIN_WORLD_SID: i32 = 1;
const SE_GROUP_LOGON_ID: u32 = 0xC0000000;
pub unsafe fn world_sid() -> Result<Vec<u8>> {
let mut size: u32 = 0;
CreateWellKnownSid(
WIN_WORLD_SID,
std::ptr::null_mut(),
std::ptr::null_mut(),
&mut size,
);
let mut buf: Vec<u8> = vec![0u8; size as usize];
let ok = CreateWellKnownSid(
WIN_WORLD_SID,
std::ptr::null_mut(),
buf.as_mut_ptr() as *mut c_void,
&mut size,
);
if ok == 0 {
return Err(anyhow!("CreateWellKnownSid failed: {}", GetLastError()));
}
Ok(buf)
}
pub unsafe fn convert_string_sid_to_sid(s: &str) -> Option<*mut c_void> {
#[link(name = "advapi32")]
extern "system" {
fn ConvertStringSidToSidW(StringSid: *const u16, Sid: *mut *mut c_void) -> i32;
}
let mut psid: *mut c_void = std::ptr::null_mut();
let ok = unsafe { ConvertStringSidToSidW(to_wide(s).as_ptr(), &mut psid) };
if ok != 0 {
Some(psid)
} else {
None
}
}
pub unsafe fn get_current_token_for_restriction() -> Result<HANDLE> {
let desired = TOKEN_DUPLICATE
| TOKEN_QUERY
| TOKEN_ASSIGN_PRIMARY
| TOKEN_ADJUST_DEFAULT
| TOKEN_ADJUST_SESSIONID
| TOKEN_ADJUST_PRIVILEGES;
let mut h: HANDLE = 0;
#[link(name = "advapi32")]
extern "system" {
fn OpenProcessToken(
ProcessHandle: HANDLE,
DesiredAccess: u32,
TokenHandle: *mut HANDLE,
) -> i32;
}
let ok = unsafe { OpenProcessToken(GetCurrentProcess(), desired, &mut h) };
if ok == 0 {
return Err(anyhow!("OpenProcessToken failed: {}", GetLastError()));
}
Ok(h)
}
pub unsafe fn get_logon_sid_bytes(h_token: HANDLE) -> Result<Vec<u8>> {
unsafe fn scan_token_groups_for_logon(h: HANDLE) -> Option<Vec<u8>> {
let mut needed: u32 = 0;
GetTokenInformation(h, TokenGroups, std::ptr::null_mut(), 0, &mut needed);
if needed == 0 {
return None;
}
let mut buf: Vec<u8> = vec![0u8; needed as usize];
let ok = GetTokenInformation(
h,
TokenGroups,
buf.as_mut_ptr() as *mut c_void,
needed,
&mut needed,
);
if ok == 0 || (needed as usize) < std::mem::size_of::<u32>() {
return None;
}
let group_count = std::ptr::read_unaligned(buf.as_ptr() as *const u32) as usize;
// TOKEN_GROUPS layout is: DWORD GroupCount; SID_AND_ATTRIBUTES Groups[];
// On 64-bit, Groups is aligned to pointer alignment after 4-byte GroupCount.
let after_count = unsafe { buf.as_ptr().add(std::mem::size_of::<u32>()) } as usize;
let align = std::mem::align_of::<SID_AND_ATTRIBUTES>();
let aligned = (after_count + (align - 1)) & !(align - 1);
let groups_ptr = aligned as *const SID_AND_ATTRIBUTES;
for i in 0..group_count {
let entry: SID_AND_ATTRIBUTES = std::ptr::read_unaligned(groups_ptr.add(i));
if (entry.Attributes & SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID {
let sid = entry.Sid;
let sid_len = GetLengthSid(sid);
if sid_len == 0 {
return None;
}
let mut out = vec![0u8; sid_len as usize];
if CopySid(sid_len, out.as_mut_ptr() as *mut c_void, sid) == 0 {
return None;
}
return Some(out);
}
}
None
}
if let Some(v) = scan_token_groups_for_logon(h_token) {
return Ok(v);
}
#[repr(C)]
struct TOKEN_LINKED_TOKEN {
linked_token: HANDLE,
}
const TOKEN_LINKED_TOKEN_CLASS: i32 = 19; // TokenLinkedToken
let mut ln_needed: u32 = 0;
GetTokenInformation(
h_token,
TOKEN_LINKED_TOKEN_CLASS,
std::ptr::null_mut(),
0,
&mut ln_needed,
);
if ln_needed >= std::mem::size_of::<TOKEN_LINKED_TOKEN>() as u32 {
let mut ln_buf: Vec<u8> = vec![0u8; ln_needed as usize];
let ok = GetTokenInformation(
h_token,
TOKEN_LINKED_TOKEN_CLASS,
ln_buf.as_mut_ptr() as *mut c_void,
ln_needed,
&mut ln_needed,
);
if ok != 0 {
let lt: TOKEN_LINKED_TOKEN =
std::ptr::read_unaligned(ln_buf.as_ptr() as *const TOKEN_LINKED_TOKEN);
if lt.linked_token != 0 {
let res = scan_token_groups_for_logon(lt.linked_token);
CloseHandle(lt.linked_token);
if let Some(v) = res {
return Ok(v);
}
}
}
}
Err(anyhow!("Logon SID not present on token"))
}
unsafe fn enable_single_privilege(h_token: HANDLE, name: &str) -> Result<()> {
let mut luid = LUID {
LowPart: 0,
HighPart: 0,
};
let ok = LookupPrivilegeValueW(std::ptr::null(), to_wide(name).as_ptr(), &mut luid);
if ok == 0 {
return Err(anyhow!("LookupPrivilegeValueW failed: {}", GetLastError()));
}
let mut tp: TOKEN_PRIVILEGES = std::mem::zeroed();
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = 0x00000002; // SE_PRIVILEGE_ENABLED
let ok2 = AdjustTokenPrivileges(h_token, 0, &tp, 0, std::ptr::null_mut(), std::ptr::null_mut());
if ok2 == 0 {
return Err(anyhow!("AdjustTokenPrivileges failed: {}", GetLastError()));
}
let err = GetLastError();
if err != 0 {
return Err(anyhow!("AdjustTokenPrivileges error {}", err));
}
Ok(())
}
// removed unused create_write_restricted_token_strict
pub unsafe fn create_workspace_write_token_with_cap(
psid_capability: *mut c_void,
) -> Result<(HANDLE, *mut c_void)> {
let base = get_current_token_for_restriction()?;
let mut logon_sid_bytes = get_logon_sid_bytes(base)?;
let psid_logon = logon_sid_bytes.as_mut_ptr() as *mut c_void;
let mut everyone = world_sid()?;
let psid_everyone = everyone.as_mut_ptr() as *mut c_void;
let mut entries: [SID_AND_ATTRIBUTES; 3] = std::mem::zeroed();
// Exact set and order: Capability, Logon, Everyone
entries[0].Sid = psid_capability;
entries[0].Attributes = 0;
entries[1].Sid = psid_logon;
entries[1].Attributes = 0;
entries[2].Sid = psid_everyone;
entries[2].Attributes = 0;
let mut new_token: HANDLE = 0;
let flags = DISABLE_MAX_PRIVILEGE | LUA_TOKEN | WRITE_RESTRICTED;
let ok = CreateRestrictedToken(
base,
flags,
0,
std::ptr::null(),
0,
std::ptr::null(),
3,
entries.as_mut_ptr(),
&mut new_token,
);
if ok == 0 {
return Err(anyhow!("CreateRestrictedToken failed: {}", GetLastError()));
}
enable_single_privilege(new_token, "SeChangeNotifyPrivilege")?;
Ok((new_token, psid_capability))
}
pub unsafe fn create_readonly_token_with_cap(
psid_capability: *mut c_void,
) -> Result<(HANDLE, *mut c_void)> {
let base = get_current_token_for_restriction()?;
let mut logon_sid_bytes = get_logon_sid_bytes(base)?;
let psid_logon = logon_sid_bytes.as_mut_ptr() as *mut c_void;
let mut everyone = world_sid()?;
let psid_everyone = everyone.as_mut_ptr() as *mut c_void;
let mut entries: [SID_AND_ATTRIBUTES; 3] = std::mem::zeroed();
// Exact set and order: Capability, Logon, Everyone
entries[0].Sid = psid_capability;
entries[0].Attributes = 0;
entries[1].Sid = psid_logon;
entries[1].Attributes = 0;
entries[2].Sid = psid_everyone;
entries[2].Attributes = 0;
let mut new_token: HANDLE = 0;
let flags = DISABLE_MAX_PRIVILEGE | LUA_TOKEN | WRITE_RESTRICTED;
let ok = CreateRestrictedToken(
base,
flags,
0,
std::ptr::null(),
0,
std::ptr::null(),
3,
entries.as_mut_ptr(),
&mut new_token,
);
if ok == 0 {
return Err(anyhow!("CreateRestrictedToken failed: {}", GetLastError()));
}
enable_single_privilege(new_token, "SeChangeNotifyPrivilege")?;
Ok((new_token, psid_capability))
}
Reference in New Issue View Git Blame Copy Permalink