agent-approvals-security diff

agent-approvals-security.md +253 −16

Details

8 8

9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.9By default, the agent runs with network access turned off. Locally, Codex uses an OS-enforced sandbox that limits what it can touch (typically to the current workspace), plus an approval policy that controls when it must stop and ask you before acting.

10 10

11For a high-level explanation of how sandboxing works across the Codex app, IDE

12extension, and CLI, see [sandboxing](https://developers.openai.com/codex/concepts/sandboxing).

13For a broader enterprise security overview, see the [Codex security white paper](https://trust.openai.com/?itemUid=382f924d-54f3-43a8-a9df-c39e6c959958&source=click).

11## Sandbox and approvals15## Sandbox and approvals

12 16

13Codex security controls come from two layers that work together:17Codex security controls come from two layers that work together:

20- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.

21- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.

22 26

~~23In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.~~27In the `Auto` preset (for example, `--sandbox workspace-write --ask-for-approval on-request`), Codex can read files, make edits, and run commands in the working directory automatically.

24 28

25Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.

26 30

27Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).

28 32

~~29## Network access [Elevated Risk](https://help.openai.com/articles/20001061)~~33## Network access <ElevatedRiskBadge class="ml-2" />

30 34

31For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.

32 36

37network_access = true41network_access = true

38```42```

39 43

44### Network isolation

46Network access is controlled through destination rules that apply to scripts,

47programs, and subprocesses spawned by commands. When command network access is

48already enabled, turn on the `network_proxy` feature to constrain that traffic

49to the network policy you configure.

51```toml

52[features.network_proxy]

53enabled = true

54domains = { "api.openai.com" = "allow", "example.com" = "deny" }

55```

57For a one-off CLI session, use the boolean shorthand when you only need the

58toggle, and the table form when you also set policy options:

60```bash

61codex \

62 -c 'features.network_proxy=true' \

63 -c 'sandbox_workspace_write.network_access=true'

65codex \

66 -c 'features.network_proxy.enabled=true' \

67 -c 'features.network_proxy.domains={ "api.openai.com" = "allow", "example.com" = "deny" }' \

68 -c 'sandbox_workspace_write.network_access=true'

69```

71The feature changes how enabled network access is enforced; it does not grant

72network access by itself. Use `sandbox_workspace_write.network_access` with

73`workspace-write` config to decide whether commands have network access at all:

75- Network off + `network_proxy` on: network stays off, and the feature does nothing.

76- Network on + `network_proxy` off: network stays on with unrestricted direct

77 outbound access.

78- Network on + `network_proxy` on: network stays on, and outbound traffic is

79 constrained by the configured network policy.

81Admin-managed `experimental_network` requirements are separate from the user

82feature toggle. They can configure and start sandboxed networking without

83`features.network_proxy`, but they do not turn on network access when the active

84sandbox keeps it off. See [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-network-access-requirements)

85for the administrator-side `requirements.toml` shape.

87#### Network policy

89Domain rules are allowlist-first:

91- Exact hosts match only themselves.

92- `*.example.com` matches subdomains such as `api.example.com`, but not

93 `example.com`.

94- `**.example.com` matches both the apex and subdomains.

95- A global `*` allow rule matches any public host that is not denied. Treat `*`

96 as broad network access and prefer scoped rules when you can.

97- `deny` always wins over `allow`, and global `*` is only valid for allow rules.

99#### Local and private destinations

100

101By default, `allow_local_binding = false` blocks loopback, link-local, and

102private destinations:

103

104- Specific exceptions: add an exact local IP literal or `localhost` allow rule

105 when a command needs one local target.

106- Broader access: set `allow_local_binding = true` only when you intentionally

107 want wider local/private reach.

108- Wildcards: wildcard rules do not count as explicit local exceptions.

109- Resolved addresses: hostnames that resolve to local/private IPs stay blocked

110 even if they match the allowlist.

111

112#### DNS rebinding protections

113

114Before allowing a hostname, Codex performs a best-effort DNS and IP

115classification check:

116

117- Lookups that fail or time out are blocked.

118- Hostnames that resolve to non-public addresses are blocked.

119- The check reduces DNS rebinding risk, but it does not eliminate it. Preventing

120 rebinding completely would require pinning resolved IPs through the transport

121 layer.

122

123If hostile DNS is in scope, enforce egress controls at a lower layer too.

124

125#### Dangerous settings

126

127Two settings deliberately widen the trust boundary:

128

129- `dangerously_allow_non_loopback_proxy = true` can expose proxy listeners beyond

130 loopback.

131- `dangerously_allow_all_unix_sockets = true` bypasses the Unix socket allowlist.

132

133Use them only in tightly controlled environments. When Unix socket proxying is

134enabled, listeners stay loopback-only even if non-loopback binding was requested,

135so sandboxed networking does not become a remote bridge into local daemons.

136

137`network_proxy` is off by default. When you enable it:

138

139| Setting | Default | Behavior |

140| -------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

141| `enabled` | `false` | Starts sandboxed networking only when command network access is already on. |

142| `domains` | unset | Uses allowlist behavior, so no external destinations are allowed until you add `allow` rules. Supports exact hosts, scoped wildcards, and global `*` allow rules; `deny` always wins. |

143| `unix_sockets` | unset | No Unix socket destinations are allowed until you add explicit `allow` rules. |

144| `allow_local_binding` | `false` | Blocks local and private-network destinations unless you add an exact local IP literal or `localhost` allow rule, or explicitly opt into broader local/private access. |

145| `enable_socks5` | `true` | Exposes SOCKS5 support when policy allows it. |

146| `enable_socks5_udp` | `true` | Allows UDP over SOCKS5 when SOCKS5 is available. |

147| `allow_upstream_proxy` | `true` | Lets sandboxed networking honor an upstream proxy from the environment. |

148| `dangerously_allow_non_loopback_proxy` | `false` | Keeps listener endpoints on loopback unless you deliberately expose them beyond localhost. |

149| `dangerously_allow_all_unix_sockets` | `false` | Keeps Unix socket access allowlist-based unless you deliberately bypass that protection. |

150

40You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:151You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:

41 152

42```toml153```toml

69- `<writable_root>/.codex` is protected as read-only when it exists as a directory.180- `<writable_root>/.codex` is protected as read-only when it exists as a directory.

70- Protection is recursive, so everything under those paths is read-only.181- Protection is recursive, so everything under those paths is read-only.

71 182

183### Deny reads with filesystem profiles

184

185Named permission profiles can also deny reads for exact paths or glob patterns.

186This is useful when a workspace should stay writable but specific sensitive

187files, such as local environment files, must stay unreadable:

188

189```toml

190default_permissions = "workspace"

191

192[permissions.workspace.filesystem]

193":project_roots" = { "." = "write", "**/*.env" = "none" }

194glob_scan_max_depth = 3

195```

196

197Use `"none"` for paths or globs that Codex shouldn't read. The sandbox policy

198evaluates globs for local macOS and Linux command execution. On platforms that

199pre-expand glob matches before the sandbox starts, set `glob_scan_max_depth` for

200unbounded `**` patterns, or list explicit depths such as `*.env`, `*/*.env`, and

201`*/*/*.env`.

202

72### Run without approval prompts203### Run without approval prompts

73 204

74You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).205You can disable approval prompts with `--ask-for-approval never` or `-a never` (shorthand).

77 208

78If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.209If you need Codex to read files, make edits, and run commands with network access without approval prompts, use `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag). Use caution before doing so.

79 210

80For a middle ground, `approval_policy = { reject = { ... } }` lets you auto-reject specific approval prompt categories (sandbox escalation, execpolicy-rule prompts, or MCP elicitations) while keeping other prompts interactive.211For a middle ground, `approval_policy = { granular = { ... } }` lets you keep specific approval prompt categories interactive while automatically rejecting others. The granular policy covers sandbox approvals, execpolicy-rule prompts, MCP prompts, `request_permissions` prompts, and skill-script approvals.

212

213### Automatic approval reviews

214

215By default, approval requests route to you:

216

217```toml

218approvals_reviewer = "user"

219```

220

221Automatic approval reviews apply when approvals are interactive, such as

222`approval_policy = "on-request"` or a granular approval policy. Set

223`approvals_reviewer = "auto_review"` to route eligible approval requests

224through a reviewer agent before Codex runs the request:

225

226```toml

227approval_policy = "on-request"

228approvals_reviewer = "auto_review"

229```

230

231For the full reviewer lifecycle, trigger conditions, configuration precedence,

232and failure behavior, see

233[Auto-review](https://developers.openai.com/codex/concepts/sandboxing/auto-review).

234

235The reviewer evaluates only actions that already need approval, such as sandbox

236escalations, blocked network requests, `request_permissions` prompts, or

237side-effecting app and MCP tool calls. Actions that stay inside the sandbox

238continue without an extra review step.

239

240The reviewer policy checks for data exfiltration, credential probing, persistent

241security weakening, and destructive actions. Low-risk and medium-risk actions

242can proceed when policy allows them. The policy denies critical-risk actions.

243High-risk actions require enough user authorization and no matching deny rule.

244Prompt-build, review-session, and parse failures fail closed. Timeouts are

245surfaced separately, but the action still does not run.

246

247The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)

248is in the open-source Codex repository. Enterprises can replace its

249tenant-specific section with `guardian_policy_config` in managed requirements.

250Local `[auto_review].policy` text is also supported, but managed requirements

251take precedence. For setup details, see

252[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).

253

254In the Codex app, these reviews appear as automatic review items with a status

255such as Reviewing, Approved, Denied, Aborted, or Timed out. They can also

256include a risk level and user-authorization assessment for the reviewed

257request.

258

259Automatic review uses extra model calls, so it can add to Codex usage. Admins

260can constrain it with `allowed_approvals_reviewers`.

81 261

82### Common sandbox and approval combinations262### Common sandbox and approval combinations

83 263

85| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |265| ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |

86| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |266| Auto (preset) | _no flags needed_ or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |

87| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |267| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |

89| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |269| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |

~~90| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* |~~270| Auto-review mode | `--sandbox workspace-write --ask-for-approval on-request -c approvals_reviewer=auto_review` or `approvals_reviewer = "auto_review"` | Same sandbox boundary as standard on-request mode, but eligible approval requests are reviewed by Auto-review instead of surfacing to the user. |

271| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | <ElevatedRiskBadge /> No sandbox; no approvals _(not recommended)_ |

91 272

~~92`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.~~273For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.

93 274

94With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.275With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.

95 276

107[sandbox_workspace_write]288[sandbox_workspace_write]

108network_access = true289network_access = true

109 290

110# Optional: granular approval prompt auto-rejection291# Optional: granular approval policy

111# approval_policy = { reject = { sandbox_approval = true, rules = false, mcp_elicitations = false } }292# approval_policy = { granular = {

293# sandbox_approval = true,

294# rules = true,

295# mcp_elicitations = true,

296# request_permissions = false,

297# skill_approval = false

298# } }

112```299```

113 300

114You can also save presets as profiles, then select them with `codex --profile <name>`:301You can also save presets as profiles, then select them with `codex --profile <name>`:

129 316

130```bash317```bash

131# macOS318# macOS

132codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...319codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...

133# Linux320# Linux

134codex sandbox linux [--full-auto] [COMMAND]...321codex sandbox linux [--permissions-profile <name>] [COMMAND]...

322# Windows

323codex sandbox windows [--permissions-profile <name>] [COMMAND]...

135```324```

136 325

137The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).326The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).

141Codex enforces the sandbox differently depending on your OS:330Codex enforces the sandbox differently depending on your OS:

142 331

143- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.332- **macOS** uses Seatbelt policies and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` mode you selected. When restricted read access enables platform defaults, Codex appends a curated macOS platform policy (instead of broadly allowing `/System`) to preserve common tool compatibility.

144- **Linux** uses `Landlock` plus `seccomp` by default. You can opt into the alternative Linux sandbox pipeline with `features.use_linux_sandbox_bwrap = true` (or `-c use_linux_sandbox_bwrap=true`). In managed proxy mode, the bwrap pipeline routes egress through a proxy-only bridge and fails closed if it cannot build valid loopback proxy routes; landlock-only flows do not use that bridge behavior.333- **Linux** uses `bwrap` plus `seccomp` by default.

145- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux (WSL)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.334- **Windows** uses the Linux sandbox implementation when running in [Windows Subsystem for Linux 2 (WSL2)](https://developers.openai.com/codex/windows#windows-subsystem-for-linux). WSL1 was supported through Codex `0.114`; starting in `0.115`, the Linux sandbox moved to `bwrap`, so WSL1 is no longer supported. When running natively on Windows, Codex uses a [Windows sandbox](https://developers.openai.com/codex/windows#windows-sandbox) implementation.

146 335

147If you use the Codex IDE extension on Windows, it supports WSL directly. Set the following in your VS Code settings to keep the agent inside WSL whenever it’s available:336If you use the Codex IDE extension on Windows, it supports WSL2 directly. Set the following in your VS Code settings to keep the agent inside WSL2 whenever it's available:

148 337

149```json338```json

150{339{

159```toml348```toml

160[windows]349[windows]

161sandbox = "unelevated" # or "elevated"350sandbox = "unelevated" # or "elevated"

351# sandbox_private_desktop = true # default; set false only for compatibility

162```352```

163 353

164See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.354See the [Windows setup guide](https://developers.openai.com/codex/windows#windows-sandbox) for details.

165 355

166When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration doesn’t support the required `Landlock` and `seccomp` features.356When you run Linux in a containerized environment such as Docker, the sandbox may not work if the host or container configuration blocks the namespace, setuid `bwrap`, or `seccomp` operations that Codex needs.

167 357

168In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.358In that case, configure your Docker container to provide the isolation you need, then run `codex` with `--sandbox danger-full-access` (or the `--dangerously-bypass-approvals-and-sandbox` flag) inside the container.

169 359

360### Run Codex in Dev Containers

361

362If your host cannot run the Linux sandbox directly, or if your organization already standardizes on containerized development, run Codex with Dev Containers and let Docker provide the outer isolation boundary. This works with Visual Studio Code Dev Containers and compatible tools.

363

364Use the [Codex secure devcontainer example](https://github.com/openai/codex/tree/main/.devcontainer) as a reference implementation. The example installs Codex, common development tools, `bubblewrap`, and firewall-based outbound controls.

365

366Devcontainers provide substantial protection, but they do not prevent every

367 attack. If you run Codex with `--sandbox danger-full-access` or

368 `--dangerously-bypass-approvals-and-sandbox` inside the container, a malicious

369 project can exfiltrate anything available inside the devcontainer, including

370 Codex credentials. Use this pattern only with trusted repositories, and

371 monitor Codex activity as you would in any other elevated environment.

372

373The reference implementation includes:

374

375- an Ubuntu 24.04 base image with Codex and common development tools installed;

376- an allowlist-driven firewall profile for outbound access;

377- VS Code settings and extension recommendations for reopening the workspace in a container;

378- persistent mounts for command history and Codex configuration;

379- `bubblewrap`, so Codex can still use its Linux sandbox when the container grants the needed capabilities.

380

381To try it:

382

3831. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).

3842. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.

3853. In VS Code, run **Dev Containers: Open Folder in Container...** and select `.devcontainer/devcontainer.secure.json`.

3864. After the container starts, open a terminal and run `codex`.

387

388You can also start the container from the CLI:

389

390```bash

391devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json

392```

393

394The example has three main pieces:

395

396- `.devcontainer/devcontainer.secure.json` controls container settings, capabilities, mounts, environment variables, and VS Code extensions.

397- `.devcontainer/Dockerfile.secure` defines the Ubuntu-based image and installed tools.

398- `.devcontainer/init-firewall.sh` applies the outbound network policy.

399

400The reference firewall is intentionally a starting point. If you depend on domain allowlisting for isolation, implement DNS rebinding and DNS refresh protections that fit your environment, such as TTL-aware refreshes or a DNS-aware firewall.

401

402Inside the container, choose one of these modes:

403

404- Keep Codex's Linux sandbox enabled if the Dev Container profile grants the capabilities needed for `bwrap` to create the inner sandbox.

405- If the container is your intended security boundary, run Codex with `--sandbox danger-full-access` inside the container so Codex does not try to create a second sandbox layer.

406

170## Version control407## Version control

171 408

172Codex works best with a version control workflow:409Codex works best with a version control workflow:

agent-approvals-security.md Codex Docs, 2026-03-07 00:33 UTC → 2026-05-18 22:01 UTC