agent-approvals-security.md +107 −0
41network_access = true41network_access = true
42```42```
43 43
44### Network isolation
45
46Network access is controlled through destination rules that apply to scripts,
47programs, and subprocesses spawned by commands. When command network access is
48already enabled, turn on the `network_proxy` feature to constrain that traffic
49to the network policy you configure.
50
51```toml
52[features.network_proxy]
53enabled = true
54domains = { "api.openai.com" = "allow", "example.com" = "deny" }
55```
56
57For a one-off CLI session, use the boolean shorthand when you only need the
58toggle, and the table form when you also set policy options:
59
60```bash
61codex \
62 -c 'features.network_proxy=true' \
63 -c 'sandbox_workspace_write.network_access=true'
64
65codex \
66 -c 'features.network_proxy.enabled=true' \
67 -c 'features.network_proxy.domains={ "api.openai.com" = "allow", "example.com" = "deny" }' \
68 -c 'sandbox_workspace_write.network_access=true'
69```
70
71The feature changes how enabled network access is enforced; it does not grant
72network access by itself. Use `sandbox_workspace_write.network_access` with
73`workspace-write` config to decide whether commands have network access at all:
74
75- Network off + `network_proxy` on: network stays off, and the feature does nothing.
76- Network on + `network_proxy` off: network stays on with unrestricted direct
77 outbound access.
78- Network on + `network_proxy` on: network stays on, and outbound traffic is
79 constrained by the configured network policy.
80
81Admin-managed `experimental_network` requirements are separate from the user
82feature toggle. They can configure and start sandboxed networking without
83`features.network_proxy`, but they do not turn on network access when the active
84sandbox keeps it off. See [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration#configure-network-access-requirements)
85for the administrator-side `requirements.toml` shape.
86
87#### Network policy
88
89Domain rules are allowlist-first:
90
91- Exact hosts match only themselves.
92- `*.example.com` matches subdomains such as `api.example.com`, but not
93 `example.com`.
94- `**.example.com` matches both the apex and subdomains.
95- A global `*` allow rule matches any public host that is not denied. Treat `*`
96 as broad network access and prefer scoped rules when you can.
97- `deny` always wins over `allow`, and global `*` is only valid for allow rules.
98
99#### Local and private destinations
100
101By default, `allow_local_binding = false` blocks loopback, link-local, and
102private destinations:
103
104- Specific exceptions: add an exact local IP literal or `localhost` allow rule
105 when a command needs one local target.
106- Broader access: set `allow_local_binding = true` only when you intentionally
107 want wider local/private reach.
108- Wildcards: wildcard rules do not count as explicit local exceptions.
109- Resolved addresses: hostnames that resolve to local/private IPs stay blocked
110 even if they match the allowlist.
111
112#### DNS rebinding protections
113
114Before allowing a hostname, Codex performs a best-effort DNS and IP
115classification check:
116
117- Lookups that fail or time out are blocked.
118- Hostnames that resolve to non-public addresses are blocked.
119- The check reduces DNS rebinding risk, but it does not eliminate it. Preventing
120 rebinding completely would require pinning resolved IPs through the transport
121 layer.
122
123If hostile DNS is in scope, enforce egress controls at a lower layer too.
124
125#### Dangerous settings
126
127Two settings deliberately widen the trust boundary:
128
129- `dangerously_allow_non_loopback_proxy = true` can expose proxy listeners beyond
130 loopback.
131- `dangerously_allow_all_unix_sockets = true` bypasses the Unix socket allowlist.
132
133Use them only in tightly controlled environments. When Unix socket proxying is
134enabled, listeners stay loopback-only even if non-loopback binding was requested,
135so sandboxed networking does not become a remote bridge into local daemons.
136
137`network_proxy` is off by default. When you enable it:
138
139| Setting | Default | Behavior |
140| -------------------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
141| `enabled` | `false` | Starts sandboxed networking only when command network access is already on. |
142| `domains` | unset | Uses allowlist behavior, so no external destinations are allowed until you add `allow` rules. Supports exact hosts, scoped wildcards, and global `*` allow rules; `deny` always wins. |
143| `unix_sockets` | unset | No Unix socket destinations are allowed until you add explicit `allow` rules. |
144| `allow_local_binding` | `false` | Blocks local and private-network destinations unless you add an exact local IP literal or `localhost` allow rule, or explicitly opt into broader local/private access. |
145| `enable_socks5` | `true` | Exposes SOCKS5 support when policy allows it. |
146| `enable_socks5_udp` | `true` | Allows UDP over SOCKS5 when SOCKS5 is available. |
147| `allow_upstream_proxy` | `true` | Lets sandboxed networking honor an upstream proxy from the environment. |
148| `dangerously_allow_non_loopback_proxy` | `false` | Keeps listener endpoints on loopback unless you deliberately expose them beyond localhost. |
149| `dangerously_allow_all_unix_sockets` | `false` | Keeps Unix socket access allowlist-based unless you deliberately bypass that protection. |
150
44You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:151You can also control the [web search tool](https://platform.openai.com/docs/guides/tools-web-search) without granting full network access to spawned commands. Codex defaults to using a web search cache to access results. The cache is an OpenAI-maintained index of web results, so cached mode returns pre-indexed results instead of fetching live pages. This reduces exposure to prompt injection from arbitrary live content, but you should still treat web results as untrusted. If you are using `--yolo` or another [full access sandbox setting](#common-sandbox-and-approval-combinations), web search defaults to live results. Use `--search` or set `web_search = "live"` to allow live browsing, or set it to `"disabled"` to turn the tool off:
45 152
46```toml153```toml