windows-sandbox-rs/src/workspace_acl.rs
30 lines
use crate::acl::add_deny_write_ace;use crate::path_normalization::canonicalize_path;use anyhow::Result;use std::ffi::c_void;use std::path::Path;pub fn is_command_cwd_root(root: &Path, canonical_command_cwd: &Path) -> bool { canonicalize_path(root) == canonical_command_cwd}/// # Safety/// Caller must ensure `psid` is a valid SID pointer.pub unsafe fn protect_workspace_codex_dir(cwd: &Path, psid: *mut c_void) -> Result<bool> { protect_workspace_subdir(cwd, psid, ".codex")}/// # Safety/// Caller must ensure `psid` is a valid SID pointer.pub unsafe fn protect_workspace_agents_dir(cwd: &Path, psid: *mut c_void) -> Result<bool> { protect_workspace_subdir(cwd, psid, ".agents")}unsafe fn protect_workspace_subdir(cwd: &Path, psid: *mut c_void, subdir: &str) -> Result<bool> { let path = cwd.join(subdir); if path.is_dir() { add_deny_write_ace(&path, psid) } else { Ok(false) }}