Skip to content

Require elevated-only Windows policy for network proxies#31437

Open
iceweasel-oai wants to merge 5 commits into
mainfrom
codex/require-elevated-windows-managed-network
Open

Require elevated-only Windows policy for network proxies#31437
iceweasel-oai wants to merge 5 commits into
mainfrom
codex/require-elevated-windows-managed-network

Conversation

@iceweasel-oai

@iceweasel-oai iceweasel-oai commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Why

Windows network proxy enforcement previously promoted command execution to the elevated sandbox backend whenever a proxy was present. That could produce an unexpected UAC prompt even when the configured sandbox was unelevated.

Backend selection should follow the configured sandbox level, not silently override it. To keep proxy enforcement valid, any effective Windows configuration that activates the network proxy must explicitly include an administrator-authored requirement that permits only the elevated Windows sandbox.

This supersedes #28591 by validating the policy when effective configuration is resolved instead of allowing ordinary app setup to create an incompatible state.

What changed

  • Require any effective Windows network proxy configuration to include:
    [windows]
    allowed_sandbox_implementations = ["elevated"]
  • Apply that requirement to proxies produced by managed [experimental_network] requirements, the network_proxy feature, legacy network settings, CLI overrides, and active permission profiles.
  • Validate dormant permission profiles when they are selected rather than scanning every profile at startup.
  • Retain a defense-in-depth error for incompatible unmanaged or manually constructed network proxy + unelevated Windows sandbox execution requests.
  • Select the elevated Windows backend only when the configured sandbox level is elevated; network presence no longer promotes the backend.
  • Treat the two Windows network configuration errors as unrecoverable in app-server, leaving fallback behavior for unrelated config errors unchanged.

Validation

  • cargo test -p codex-config --lib
  • cargo test -p codex-core network_proxy --lib
  • cargo test -p codex-core active_profile_update_rebuilds_network_proxy_config --lib
  • cargo test -p codex-app-server windows_sandbox --lib
  • cargo test -p codex-app-server windows_network_config_errors_are_unrecoverable --lib
  • cargo clippy -p codex-config -p codex-core -p codex-app-server --lib --no-deps -- -D warnings

Documentation

Update the network proxy documentation to state that Windows deployments must pin allowed_sandbox_implementations to ["elevated"] in requirements.

@iceweasel-oai iceweasel-oai marked this pull request as ready for review July 7, 2026 17:24
@iceweasel-oai iceweasel-oai requested a review from a team as a code owner July 7, 2026 17:24
@iceweasel-oai

Copy link
Copy Markdown
Collaborator Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown
Contributor

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

Reviewed commit: 36e6579917

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@iceweasel-oai iceweasel-oai changed the title Require elevated-only Windows policy for managed networking Require elevated-only Windows policy for network proxies Jul 7, 2026
@iceweasel-oai

Copy link
Copy Markdown
Collaborator Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d1e181047f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/config/src/config_requirements.rs Outdated
Comment thread codex-rs/core/src/config/mod.rs
Comment on lines +629 to +630
validate_windows_network_proxy_requirements_for_platform(
cfg!(target_os = "windows"),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Do not key Windows proxy validation off app-server OS

In mixed deployments where the app-server runs on Linux/macOS but the selected exec-server is Windows, this cfg!(target_os = "windows") is false while the sandbox context still carries a Windows sandbox level to the remote executor. User/CLI/profile-driven network proxy configs can therefore load without the elevated-only Windows requirement and be sent to a Windows exec-server, bypassing the policy this change is trying to enforce for that executor; the check needs to use the target executor platform or otherwise validate before sending Windows sandbox requests.

AGENTS.md reference: AGENTS.md:L317-L322

Useful? React with 👍 / 👎.

@iceweasel-oai

Copy link
Copy Markdown
Collaborator Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c32b50beb7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/core/src/config/mod.rs Outdated
@iceweasel-oai

Copy link
Copy Markdown
Collaborator Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c20a892b53

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/core/src/exec.rs
Comment on lines +415 to +419
validate_windows_sandbox_network_proxy_compatibility(
exec_req.windows_sandbox_level,
exec_req.network.is_some(),
);
)
.map_err(CodexErr::Io)?;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Apply proxy/sandbox guard to unified exec

This compatibility check only protects the legacy build_exec_request path; the unified-exec runtime builds its ExecRequest through SandboxAttempt::env_for, so it never reaches this guard, and the Windows spawn branch in core/src/unified_exec/process_manager.rs still sends WindowsSandboxLevel::RestrictedToken requests to spawn_windows_sandbox_session_legacy where request.network is not enforced. For any unified-exec session or manually constructed TurnContext that still has a network proxy with the restricted-token Windows sandbox, the proxy is silently dropped instead of failing; put this validation in the shared sandbox/ExecRequest preparation path or add the same guard before unified-exec Windows spawning.

Useful? React with 👍 / 👎.

Comment on lines +531 to 532
if strict_config || is_unrecoverable_windows_network_config_error(&err) {
return Err(err);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep cloud-authorized proxy configs bootstrappable

When network_proxy is enabled in local/user config and the required elevated-only [windows] requirement is supplied by the cloud bundle, the preload above still uses the default empty cloud loader, so it fails before replace_cloud_config_bundle_loader can install the real loader; this new unrecoverable branch then makes the second load return the same missing-requirements error instead of retrying with the cloud requirements. That bricks an otherwise valid cloud-managed Windows config at app-server startup, so defer this hard failure until after the cloud loader is installed or bootstrap auth without enforcing this requirement.

AGENTS.md reference: AGENTS.md:L105-L110

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant