concepts/sandboxing.md +52 −9
11# Sandboxing – Codex# Sandbox
2 2
33Sandboxing is the boundary that lets Codex act autonomously without giving itThe sandbox is the boundary that lets Codex act autonomously without giving it
4unrestricted access to your machine. When Codex runs local commands in the4unrestricted access to your machine. When Codex runs local commands in the
5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a
6constrained environment instead of running with full access by default.6constrained environment instead of running with full access by default.
21those commands inherit the same sandbox boundaries.21those commands inherit the same sandbox boundaries.
22 22
23Codex uses platform-native enforcement on each OS. The implementation differs23Codex uses platform-native enforcement on each OS. The implementation differs
2424between macOS, Linux, WSL, and native Windows, but the idea is the same acrossbetween macOS, Linux, WSL2, and native Windows, but the idea is the same across
25surfaces: give the agent a bounded place to work so routine tasks can run25surfaces: give the agent a bounded place to work so routine tasks can run
26autonomously inside clear limits.26autonomously inside clear limits.
27 27
28## Why it matters28## Why it matters
29 29
3030Sandboxing reduces approval fatigue. Instead of asking you to confirm everyThe sandbox reduces approval fatigue. Instead of asking you to confirm every
31low-risk command, Codex can read files, make edits, and run routine project31low-risk command, Codex can read files, make edits, and run routine project
32commands within the boundary you already approved.32commands within the boundary you already approved.
33 33
3434It also gives you a clearer trust model for agentic work. You are not justIt also gives you a clearer trust model for agentic work. You aren't just
35trusting the agent's intentions; you are trusting that the agent is operating35trusting the agent's intentions; you are trusting that the agent is operating
36inside enforced limits. That makes it easier to let Codex work independently36inside enforced limits. That makes it easier to let Codex work independently
37while still knowing when it will stop and ask for help.37while still knowing when it will stop and ask for help.
38 38
39## Getting started
40
41Codex applies sandboxing automatically when you use the default permissions
42mode.
43
44### Prerequisites
45
46On **macOS**, sandboxing works out of the box using the built-in Seatbelt
47framework.
48
49On **Windows**, Codex uses the native [Windows
50sandbox](https://developers.openai.com/codex/windows#windows-sandbox) when you run in PowerShell and the
51Linux sandbox implementation when you run in WSL2.
52
53On **Linux and WSL2**, install `bubblewrap` with your package manager first:
54
55```bash
56sudo apt install bubblewrap
57```
58
59```bash
60sudo dnf install bubblewrap
61```
62
63Codex uses the first `bwrap` executable it finds on `PATH`. If no `bwrap`
64executable is available, Codex falls back to a bundled helper, but that helper
65requires support for unprivileged user namespace creation. Installing the
66distribution package that provides `bwrap` keeps this setup reliable.
67
68Codex surfaces a startup warning when `bwrap` is missing or when the helper
69can't create the needed user namespace. On distributions that restrict this
70AppArmor setting, you can enable it with:
71
72```bash
73sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
74```
75
39## How you control it76## How you control it
40 77
41Most people start with the permissions controls in the product.78Most people start with the permissions controls in the product.
62 99
63At a high level, the common sandbox modes are:100At a high level, the common sandbox modes are:
64 101
65102- `read-only`: Codex can inspect files, but it cannot edit files or run- `read-only`: Codex can inspect files, but it can't edit files or run
66 commands without approval.103 commands without approval.
67- `workspace-write`: Codex can read files, edit within the workspace, and run104- `workspace-write`: Codex can read files, edit within the workspace, and run
68 routine local commands inside that boundary. This is the default low-friction105 routine local commands inside that boundary. This is the default low-friction
73 110
74The common approval policies are:111The common approval policies are:
75 112
76113- `untrusted`: Codex asks before running commands that are not in its trusted- `untrusted`: Codex asks before running commands that aren't in its trusted
77 set.114 set.
78- `on-request`: Codex works inside the sandbox by default and asks when it115- `on-request`: Codex works inside the sandbox by default and asks when it
79 needs to go beyond that boundary.116 needs to go beyond that boundary.
80117- `never`: Codex does not stop for approval prompts.- `never`: Codex doesn't stop for approval prompts.
81 118
82Full access means using `sandbox_mode = "danger-full-access"` together with119Full access means using `sandbox_mode = "danger-full-access"` together with
83`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local120`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local
87If you need Codex to work across more than one directory, writable roots let124If you need Codex to work across more than one directory, writable roots let
88you extend the places it can modify without removing the sandbox entirely. If125you extend the places it can modify without removing the sandbox entirely. If
89you need a broader or narrower trust boundary, adjust the default sandbox mode126you need a broader or narrower trust boundary, adjust the default sandbox mode
90127and approval policy instead of relying on ad hoc exceptions.and approval policy instead of relying on one-off exceptions.
128
129For reusable permission sets, set `default_permissions` to a named profile and
130define `[permissions.<name>.filesystem]` or `[permissions.<name>.network]`.
131Managed network profiles use map tables such as
132`[permissions.<name>.network.domains]` and
133`[permissions.<name>.network.unix_sockets]` for domain and socket rules.
91 134
92When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules135When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules
93let you allow, prompt, or forbid command prefixes outside the sandbox, which is136let you allow, prompt, or forbid command prefixes outside the sandbox, which is