agent-approvals-security.md +133 −17
24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.24- **Codex cloud**: Runs in isolated OpenAI-managed containers, preventing access to your host system or unrelated data. Uses a two-phase runtime model: setup runs before the agent phase and can access the network to install specified dependencies, then the agent phase runs offline by default unless you enable internet access for that environment. Secrets configured for cloud environments are available only during setup and are removed before the agent phase starts.
25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.25- **Codex CLI / IDE extension**: OS-level mechanisms enforce sandbox policies. Defaults include no network access and write permissions limited to the active workspace. You can configure the sandbox, approval policy, and network settings based on your risk tolerance.
26 26
2727In the `Auto` preset (for example, `--full-auto`), Codex can read files, make edits, and run commands in the working directory automatically.In the `Auto` preset (for example, `--sandbox workspace-write --ask-for-approval on-request`), Codex can read files, make edits, and run commands in the working directory automatically.
28 28
29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.29Codex asks for approval to edit files outside the workspace or to run commands that require network access. If you want to chat or plan without making changes, switch to `read-only` mode with the `/permissions` command.
30 30
31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).31Codex can also elicit approval for app (connector) tool calls that advertise side effects, even when the action isn't a shell command or file change. Destructive app/MCP tool calls always require approval when the tool advertises a destructive annotation, even if it also advertises other hints (for example, read-only hints).
32 32
3333## Network access [Elevated Risk](https://help.openai.com/articles/20001061)## Network access <ElevatedRiskBadge class="ml-2" />
34 34
35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.35For Codex cloud, see [agent internet access](https://developers.openai.com/codex/cloud/internet-access) to enable full internet access or a domain allow list.
36 36
41network_access = true41network_access = true
42```42```
43 43
44### Network isolation
45
46Network access is controlled through destination rules that apply to scripts,
47programs, and subprocesses spawned by commands. When command network access is
48already enabled, turn on the `network_proxy` feature to constrain that traffic
49to the network policy you configure.
50
51```toml
52[features.network_proxy]
53enabled = true
54domains = { "api.openai.com" = "allow", "example.com" = "deny" }
55```
56
57For a one-off CLI session, use the boolean shorthand when you only need the
58toggle, and the table form when you also set policy options:
59
60```bash
61codex \
62 -c 'features.network_proxy=true' \
63 -c 'sandbox_workspace_write.network_access=true'
64
65codex \
66 -c 'features.network_proxy.enabled=true' \
67 -c 'features.network_proxy.domains={ "api.openai.com" = "allow", "example.com" = "deny" }' \
68 -c 'sandbox_workspace_write.network_access=true'
69```
70
71The feature changes how enabled network access is enforced; it does not grant
72network access by itself. Use `sandbox_workspace_write.network_access` with
73`workspace-write` config to decide whether commands have network access at all:
74
75- Network off + `network_proxy` on: network stays off, and the feature does nothing.
76- Network on + `network_proxy` off: network stays on with unrestricted direct
77 outbound access.
78- Network on + `network_proxy` on: network stays on, and outbound traffic is
79 constrained by the configured network policy.
80
81Admin-managed `experimental_network` requirements are separate from the user
82feature toggle. They can configure and start sandboxed networking without
83`features.network_proxy`, but they do not turn on network access when the active
84sandbox keeps it off. See [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-network-access-requirements)
85for the administrator-side `requirements.toml` shape.
86
87#### Network policy
88
89Domain rules are allowlist-first:
90
91- Exact hosts match only themselves.
92- `*.example.com` matches subdomains such as `api.example.com`, but not
93 `example.com`.
94- `**.example.com` matches both the apex and subdomains.
95- A global `*` allow rule matches any public host that is not denied. Treat `*`
96 as broad network access and prefer scoped rules when you can.
97- `deny` always wins over `allow`, and global `*` is only valid for allow rules.
98
99#### Local and private destinations
100
101By default, `allow_local_binding = false` blocks loopback, link-local, and
102private destinations:
103
104- Specific exceptions: add an exact local IP literal or `localhost` allow rule
105 when a command needs one local target.
106- Broader access: set `allow_local_binding = true` only when you intentionally
107 want wider local/private reach.
108- Wildcards: wildcard rules do not count as explicit local exceptions.
109- Resolved addresses: hostnames that resolve to local/private IPs stay blocked
110 even if they match the allowlist.
111
112#### DNS rebinding protections
113
114Before allowing a hostname, Codex performs a best-effort DNS and IP
115classification check:
116
117- Lookups that fail or time out are blocked.
118- Hostnames that resolve to non-public addresses are blocked.
119- The check reduces DNS rebinding risk, but it does not eliminate it. Preventing
120 rebinding completely would require pinning resolved IPs through the transport
121 layer.
122
123If hostile DNS is in scope, enforce egress controls at a lower layer too.
124
125#### Dangerous settings
126
127Two settings deliberately widen the trust boundary:
128
129- `dangerously_allow_non_loopback_proxy = true` can expose proxy listeners beyond
130 loopback.
131- `dangerously_allow_all_unix_sockets = true` bypasses the Unix socket allowlist.
132
133Use them only in tightly controlled environments. When Unix socket proxying is
134enabled, listeners stay loopback-only even if non-loopback binding was requested,
135so sandboxed networking does not become a remote bridge into local daemons.
136
137`network_proxy` is off by default. When you enable it:
138
139| Setting | Default | Behavior |
140| -------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
141| `enabled` | `false` | Starts sandboxed networking only when command network access is already on. |
142| `domains` | unset | Uses allowlist behavior, so no external destinations are allowed until you add `allow` rules. Supports exact hosts, scoped wildcards, and global `*` allow rules; `deny` always wins. |
143| `unix_sockets` | unset | No Unix socket destinations are allowed until you add explicit `allow` rules. |
144| `allow_local_binding` | `false` | Blocks local and private-network destinations unless you add an exact local IP literal or `localhost` allow rule, or explicitly opt into broader local/private access. |
145| `enable_socks5` | `true` | Exposes SOCKS5 support when policy allows it. |
146| `enable_socks5_udp` | `true` | Allows UDP over SOCKS5 when SOCKS5 is available. |
147| `allow_upstream_proxy` | `true` | Lets sandboxed networking honor an upstream proxy from the environment. |
148| `dangerously_allow_non_loopback_proxy` | `false` | Keeps listener endpoints on loopback unless you deliberately expose them beyond localhost. |
149| `dangerously_allow_all_unix_sockets` | `false` | Keeps Unix socket access allowlist-based unless you deliberately bypass that protection. |
150
44You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:151You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:
45 152
46```toml153```toml
121approvals_reviewer = "auto_review"228approvals_reviewer = "auto_review"
122```229```
123 230
231For the full reviewer lifecycle, trigger conditions, configuration precedence,
232and failure behavior, see
233[Auto-review](https://developers.openai.com/codex/concepts/sandboxing/auto-review).
234
124The reviewer evaluates only actions that already need approval, such as sandbox235The reviewer evaluates only actions that already need approval, such as sandbox
125236escalations, network requests, `request_permissions` prompts, or side-effectingescalations, blocked network requests, `request_permissions` prompts, or
126237app and MCP tool calls. Actions that stay inside the sandbox continue without anside-effecting app and MCP tool calls. Actions that stay inside the sandbox
127238extra review step.continue without an extra review step.
128 239
129The reviewer policy checks for data exfiltration, credential probing, persistent240The reviewer policy checks for data exfiltration, credential probing, persistent
130security weakening, and destructive actions. Low-risk and medium-risk actions241security weakening, and destructive actions. Low-risk and medium-risk actions
131can proceed when policy allows them. The policy denies critical-risk actions.242can proceed when policy allows them. The policy denies critical-risk actions.
132High-risk actions require enough user authorization and no matching deny rule.243High-risk actions require enough user authorization and no matching deny rule.
133244Timeouts, parse failures, and review errors fail closed.Prompt-build, review-session, and parse failures fail closed. Timeouts are
245surfaced separately, but the action still does not run.
134 246
135The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)247The [default reviewer policy](https://github.com/openai/codex/blob/main/codex-rs/core/src/guardian/policy.md)
136is in the open-source Codex repository. Enterprises can replace its248is in the open-source Codex repository. Enterprises can replace its
139take precedence. For setup details, see251take precedence. For setup details, see
140[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).252[Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-automatic-review-policy).
141 253
142254In the Codex app, these reviews appear as automatic review items with a status suchIn the Codex app, these reviews appear as automatic review items with a status
143255as Reviewing, Approved, Denied, Stopped, or Timed out. They can also include asuch as Reviewing, Approved, Denied, Aborted, or Timed out. They can also
144256risk level for the reviewed request.include a risk level and user-authorization assessment for the reviewed
257request.
145 258
146Automatic review uses extra model calls, so it can add to Codex usage. Admins259Automatic review uses extra model calls, so it can add to Codex usage. Admins
147can constrain it with `allowed_approvals_reviewers`.260can constrain it with `allowed_approvals_reviewers`.
148 261
149### Common sandbox and approval combinations262### Common sandbox and approval combinations
150 263
151264| Intent | Flags | Effect || Intent | Flags / config | Effect |
152265| ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ || ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
153266| Auto (preset) | *no flags needed* or `--full-auto` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. || Auto (preset) | _no flags needed_ or `--sandbox workspace-write --ask-for-approval on-request` | Codex can read files, make edits, and run commands in the workspace. Codex requires approval to edit outside the workspace or to access network. |
154| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |267| Safe read-only browsing | `--sandbox read-only --ask-for-approval on-request` | Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network. |
155| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |268| Read-only non-interactive (CI) | `--sandbox read-only --ask-for-approval never` | Codex can only read files; never asks for approval. |
156| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |269| Automatically edit but ask for approval to run untrusted commands | `--sandbox workspace-write --ask-for-approval untrusted` | Codex can read and edit files but asks for approval before running untrusted commands. |
157270| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | [Elevated Risk](https://help.openai.com/articles/20001061) No sandbox; no approvals *(not recommended)* || Auto-review mode | `--sandbox workspace-write --ask-for-approval on-request -c approvals_reviewer=auto_review` or `approvals_reviewer = "auto_review"` | Same sandbox boundary as standard on-request mode, but eligible approval requests are reviewed by Auto-review instead of surfacing to the user. |
271| Dangerous full access | `--dangerously-bypass-approvals-and-sandbox` (alias: `--yolo`) | <ElevatedRiskBadge /> No sandbox; no approvals _(not recommended)_ |
158 272
159273`--full-auto` is a convenience alias for `--sandbox workspace-write --ask-for-approval on-request`.For non-interactive runs, use `codex exec --sandbox workspace-write`; Codex keeps older `codex exec --full-auto` invocations as a deprecated compatibility path and prints a warning.
160 274
161With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.275With `--ask-for-approval untrusted`, Codex runs only known-safe read operations automatically. Commands that can mutate state or trigger external execution paths (for example, destructive Git operations or Git output/config-override flags) require approval.
162 276
202 316
203```bash317```bash
204# macOS318# macOS
205319codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...codex sandbox macos [--permissions-profile <name>] [--log-denials] [COMMAND]...
206# Linux320# Linux
207321codex sandbox linux [--full-auto] [COMMAND]...codex sandbox linux [--permissions-profile <name>] [COMMAND]...
322# Windows
323codex sandbox windows [--permissions-profile <name>] [COMMAND]...
208```324```
209 325
210The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).326The `sandbox` command is also available as `codex debug`, and the platform helpers have aliases (for example `codex sandbox seatbelt` and `codex sandbox landlock`).
266 382
2671. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).3831. Install Visual Studio Code and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).
2682. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.3842. Copy the Codex example `.devcontainer` setup into your repository, or start from the Codex repository directly.
2693853. In VS Code, run **Dev Containers: Open Folder in Container…** and select `.devcontainer/devcontainer.secure.json`.3. In VS Code, run **Dev Containers: Open Folder in Container...** and select `.devcontainer/devcontainer.secure.json`.
2704. After the container starts, open a terminal and run `codex`.3864. After the container starts, open a terminal and run `codex`.
271 387
272You can also start the container from the CLI:388You can also start the container from the CLI: