SpyBara
Go Premium Account

concepts/sandboxing.md Codex Docs, 2026-03-05 18:41 UTC → 2026-05-07 20:02 UTC

Inspect the documentation page or source diff for this selected snapshot comparison.

2026
5 Mar 2026, 18:41
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
7 May 2026, 20:02
14 May 2026, 21:00 14 May 2026, 07:00 13 May 2026, 00:57 12 May 2026, 01:59 11 May 2026, 18:00 7 May 2026, 20:02 7 May 2026, 17:08 5 May 2026, 23:00 2 May 2026, 06:45 2 May 2026, 00:48 1 May 2026, 18:29 30 Apr 2026, 18:36 29 Apr 2026, 12:40 29 Apr 2026, 00:50 25 Apr 2026, 06:37 25 Apr 2026, 00:42 24 Apr 2026, 18:20 24 Apr 2026, 12:28 23 Apr 2026, 18:31 23 Apr 2026, 12:28 23 Apr 2026, 00:46 22 Apr 2026, 18:29 22 Apr 2026, 00:42 21 Apr 2026, 18:29 21 Apr 2026, 12:30 21 Apr 2026, 06:45 20 Apr 2026, 18:26 20 Apr 2026, 06:53 18 Apr 2026, 18:18 17 Apr 2026, 00:44 16 Apr 2026, 18:31 16 Apr 2026, 00:46 15 Apr 2026, 18:31 15 Apr 2026, 06:44 14 Apr 2026, 18:31 14 Apr 2026, 12:29 13 Apr 2026, 18:37 13 Apr 2026, 00:44 12 Apr 2026, 06:38 10 Apr 2026, 18:23 9 Apr 2026, 00:33 8 Apr 2026, 18:32 8 Apr 2026, 00:40 7 Apr 2026, 00:40 2 Apr 2026, 18:23 31 Mar 2026, 06:35 31 Mar 2026, 00:39 28 Mar 2026, 06:26 28 Mar 2026, 00:36 27 Mar 2026, 18:23 27 Mar 2026, 00:39 26 Mar 2026, 18:27 25 Mar 2026, 18:24 23 Mar 2026, 18:22 20 Mar 2026, 00:35 18 Mar 2026, 12:23 18 Mar 2026, 00:36 17 Mar 2026, 18:24 17 Mar 2026, 00:33 16 Mar 2026, 18:25 16 Mar 2026, 12:23 14 Mar 2026, 00:32 13 Mar 2026, 18:15 13 Mar 2026, 00:34 11 Mar 2026, 00:31 9 Mar 2026, 00:34 8 Mar 2026, 18:10 8 Mar 2026, 00:35 7 Mar 2026, 18:10 7 Mar 2026, 06:14 7 Mar 2026, 00:33 6 Mar 2026, 00:38 5 Mar 2026, 18:41 5 Mar 2026, 06:22 5 Mar 2026, 00:34 4 Mar 2026, 18:18 4 Mar 2026, 06:20 3 Mar 2026, 18:20 3 Mar 2026, 00:35 27 Feb 2026, 18:15 24 Feb 2026, 06:27 24 Feb 2026, 00:33 23 Feb 2026, 18:27 21 Feb 2026, 00:33 20 Feb 2026, 12:16 19 Feb 2026, 20:53 19 Feb 2026, 20:37
Fri 1 18:29 Sat 2 00:48 Sat 2 06:45 Tue 5 23:00 Thu 7 17:08 Thu 7 20:02 Mon 11 18:00 Tue 12 01:59 Wed 13 00:57 Thu 14 07:00 Thu 14 21:00

After 2026-05-02 06:45 UTC, this monitor no longer uses markdownified HTML/MDX. Comparisons across that boundary can therefore show more extensive diffs.

concepts/sandboxing.md +205 −0 added

Details

1# Sandbox

2 

3The sandbox is the boundary that lets Codex act autonomously without giving it

4unrestricted access to your machine. When Codex runs local commands in the

5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a

6constrained environment instead of running with full access by default.

7 

8That environment defines what Codex can do on its own, such as which files it

9can modify and whether commands can use the network. When a task stays inside

10those boundaries, Codex can keep moving without stopping for confirmation. When

11it needs to go beyond them, Codex falls back to the approval flow.

12 

13Sandboxing and approvals are different controls that work together. The

14 sandbox defines technical boundaries. The approval policy decides when Codex

15 must stop and ask before crossing them.

16 

17## What the sandbox does

18 

19The sandbox applies to spawned commands, not just to Codex's built-in file

20operations. If Codex runs tools like `git`, package managers, or test runners,

21those commands inherit the same sandbox boundaries.

22 

23Codex uses platform-native enforcement on each OS. The implementation differs

24between macOS, Linux, WSL2, and native Windows, but the idea is the same across

25surfaces: give the agent a bounded place to work so routine tasks can run

26autonomously inside clear limits.

27 

28## Why it matters

29 

30The sandbox reduces approval fatigue. Instead of asking you to confirm every

31low-risk command, Codex can read files, make edits, and run routine project

32commands within the boundary you already approved.

33 

34It also gives you a clearer trust model for agentic work. You aren't just

35trusting the agent's intentions; you are trusting that the agent is operating

36inside enforced limits. That makes it easier to let Codex work independently

37while still knowing when it will stop and ask for help.

38 

39## Getting started

40 

41Codex applies sandboxing automatically when you use the default permissions

42mode.

43 

44### Prerequisites

45 

46On **macOS**, sandboxing works out of the box using the built-in Seatbelt

47framework.

48 

49On **Windows**, Codex uses the native [Windows

50sandbox](https://developers.openai.com/codex/windows#windows-sandbox) when you run in PowerShell and the

51Linux sandbox implementation when you run in WSL2.

52 

53On **Linux and WSL2**, install `bubblewrap` with your package manager first:

54 

55<Tabs

56 id="codex-sandboxing-prerequisites"

57 param="sandbox-os"

58 tabs={[

59 { id: "ubuntu-debian", label: "Ubuntu/Debian" },

60 { id: "fedora", label: "Fedora" },

61 ]}

62>

63 <div slot="ubuntu-debian">

64 

65```bash

66sudo apt install bubblewrap

67```

68 

69 </div>

70 

71 <div slot="fedora">

72 

73```bash

74sudo dnf install bubblewrap

75```

76 

77 </div>

78</Tabs>

79 

80Codex uses the first `bwrap` executable it finds on `PATH`. If no `bwrap`

81executable is available, Codex falls back to a bundled helper, but that helper

82requires support for unprivileged user namespace creation. Installing the

83distribution package that provides `bwrap` keeps this setup reliable.

84 

85Codex surfaces a startup warning when `bwrap` is missing or when the helper

86can't create the needed user namespace. On distributions that restrict this

87AppArmor setting, prefer loading the `bwrap` AppArmor profile so `bwrap` can

88keep working without disabling the restriction globally.

89 

90**Ubuntu AppArmor note:** On Ubuntu 25.04, installing `bubblewrap` from

91 Ubuntu's package repository should work without extra AppArmor setup. The

92 `bwrap-userns-restrict` profile ships in the `apparmor` package at

93 `/etc/apparmor.d/bwrap-userns-restrict`.

94 

95On Ubuntu 24.04, Codex may still warn that it can't create the needed user

96namespace after `bubblewrap` is installed. Copy and load the extra profile:

97 

98```bash

99sudo apt update

100sudo apt install apparmor-profiles apparmor-utils

101sudo install -m 0644 \

102 /usr/share/apparmor/extra-profiles/bwrap-userns-restrict \

103 /etc/apparmor.d/bwrap-userns-restrict

104sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict

105```

106 

107`apparmor_parser -r` loads the profile into the kernel without a reboot. You

108can also reload all AppArmor profiles:

109 

110```bash

111sudo systemctl reload apparmor.service

112```

113 

114If that profile is unavailable or does not resolve the issue, you can disable

115the AppArmor unprivileged user namespace restriction with:

116 

117```bash

118sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

119```

120 

121## How you control it

122 

123Most people start with the permissions controls in the product.

124 

125In the Codex app and IDE, you choose a mode from the permissions selector under

126the composer or chat input. That selector lets you rely on Codex's default

127permissions, switch to full access, or use your custom configuration.

128 

129<div class="not-prose max-w-[22rem] mr-auto mb-6">

130 <img src="https://developers.openai.com/images/codex/app/permissions-selector-light.webp"

131 alt="Codex app permissions selector showing Default permissions, Full access, and Custom (config.toml)"

132 class="block h-auto w-full mx-0!"

133 />

134</div>

135 

136In the CLI, use [`/permissions`](https://developers.openai.com/codex/cli/slash-commands#update-permissions-with-permissions)

137to switch modes during a session.

138 

139## Configure defaults

140 

141If you want Codex to start with the same behavior every time, use a custom

142configuration. Codex stores those defaults in `config.toml`, its local settings

143file. [Config basics](https://developers.openai.com/codex/config-basic) explains how it works, and the

144[Configuration reference](https://developers.openai.com/codex/config-reference) documents the exact keys for

145`sandbox_mode`, `approval_policy`, and

146`sandbox_workspace_write.writable_roots`. Use those settings to decide how much

147autonomy Codex gets by default, which directories it can write to, and when it

148should pause for approval.

149 

150At a high level, the common sandbox modes are:

151 

152- `read-only`: Codex can inspect files, but it can't edit files or run

153 commands without approval.

154- `workspace-write`: Codex can read files, edit within the workspace, and run

155 routine local commands inside that boundary. This is the default low-friction

156 mode for local work.

157- `danger-full-access`: Codex runs without sandbox restrictions. This removes

158 the filesystem and network boundaries and should be used only when you want

159 Codex to act with full access.

160 

161The common approval policies are:

162 

163- `untrusted`: Codex asks before running commands that aren't in its trusted

164 set.

165- `on-request`: Codex works inside the sandbox by default and asks when it

166 needs to go beyond that boundary.

167- `never`: Codex doesn't stop for approval prompts.

168 

169Full access means using `sandbox_mode = "danger-full-access"` together with

170`approval_policy = "never"`. By contrast, the lower-risk local automation

171preset is `sandbox_mode = "workspace-write"` together with

172`approval_policy = "on-request"`, or the matching CLI flags

173`--sandbox workspace-write --ask-for-approval on-request`.

174 

175If you need Codex to work across more than one directory, writable roots let

176you extend the places it can modify without removing the sandbox entirely. If

177you need a broader or narrower trust boundary, adjust the default sandbox mode

178and approval policy instead of relying on one-off exceptions.

179 

180For reusable permission sets, set `default_permissions` to a named profile and

181define `[permissions.<name>.filesystem]` or `[permissions.<name>.network]`.

182Managed network profiles use map tables such as

183`[permissions.<name>.network.domains]` and

184`[permissions.<name>.network.unix_sockets]` for domain and socket rules.

185Filesystem profiles can also deny reads for exact paths or glob patterns by

186setting matching entries to `"none"`; use this to keep files such as local

187secrets unreadable without turning off workspace writes.

188 

189When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules

190let you allow, prompt, or forbid command prefixes outside the sandbox, which is

191often a better fit than broadly expanding access. For a higher-level overview

192of approvals and sandbox behavior in the app, see

193[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the

194IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).

195 

196Automatic review, when available, doesn't change the sandbox boundary. It

197reviews approval requests, such as sandbox escalations or network access, while

198actions already allowed inside the sandbox run without extra review. See

199[Automatic approval reviews](https://developers.openai.com/codex/agent-approvals-security#automatic-approval-reviews)

200for the policy behavior.

201 

202Platform details live in the platform-specific docs. For native Windows setup,

203behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin

204requirements and organization-level constraints on sandboxing and approvals, see

205[Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).