valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
79aa83ee399353c27485db85b6464d36246b3fcc
llmx/codex-rs/windows-sandbox-rs/src/allow.rs
iceweasel-oai 87cce88f48 Windows Sandbox - Alpha version (#4905) 
- Added the new codex-windows-sandbox crate that builds both a library
entry point (run_windows_sandbox_capture) and a CLI executable to launch
commands inside a Windows restricted-token sandbox, including ACL
management, capability SID provisioning, network lockdown, and output
capture
(windows-sandbox-rs/src/lib.rs:167, windows-sandbox-rs/src/main.rs:54).
- Introduced the experimental WindowsSandbox feature flag and wiring so
Windows builds can opt into the sandbox:
SandboxType::WindowsRestrictedToken, the in-process execution path, and
platform sandbox selection now honor the flag (core/src/features.rs:47,
core/src/config.rs:1224, core/src/safety.rs:19,
core/src/sandboxing/mod.rs:69, core/src/exec.rs:79,
core/src/exec.rs:172).
- Updated workspace metadata to include the new crate and its
Windows-specific dependencies so the core crate can link against it
(codex-rs/
    Cargo.toml:91, core/Cargo.toml:86).
- Added a PowerShell bootstrap script that installs the Windows
toolchain, required CLI utilities, and builds the workspace to ease
development
    on the platform (scripts/setup-windows.ps1:1).
- Landed a Python smoke-test suite that exercises
read-only/workspace-write policies, ACL behavior, and network denial for
the Windows sandbox
    binary (windows-sandbox-rs/sandbox_smoketests.py:1).
2025-10-30 15:51:57 -07:00

38 lines
1.2 KiB
Rust
Raw Blame History

use crate::policy::SandboxMode;
use crate::policy::SandboxPolicy;
use std::collections::HashMap;
use std::path::Path;
use std::path::PathBuf;
pub fn compute_allow_paths(
policy: &SandboxPolicy,
_policy_cwd: &Path,
command_cwd: &Path,
env_map: &HashMap<String, String>,
) -> Vec<PathBuf> {
let mut allow: Vec<PathBuf> = Vec::new();
let mut seen = std::collections::HashSet::new();
if matches!(policy.0, SandboxMode::WorkspaceWrite) {
let abs = command_cwd.to_path_buf();
if seen.insert(abs.to_string_lossy().to_string()) && abs.exists() {
allow.push(abs);
}
}
if !matches!(policy.0, SandboxMode::ReadOnly) {
for key in ["TEMP", "TMP"] {
if let Some(v) = env_map.get(key) {
let abs = PathBuf::from(v);
if seen.insert(abs.to_string_lossy().to_string()) && abs.exists() {
allow.push(abs);
}
} else if let Ok(v) = std::env::var(key) {
let abs = PathBuf::from(v);
if seen.insert(abs.to_string_lossy().to_string()) && abs.exists() {
allow.push(abs);
}
}
}
}
allow
}
Reference in New Issue View Git Blame Copy Permalink