concepts/sandboxing.md Codex Docs, 2026-04-12 06:38 UTC → 2026-04-25 06:37 UTC

1# Sandboxing – Codex1# Sandbox

2 2 

3Sandboxing is the boundary that lets Codex act autonomously without giving it3The sandbox is the boundary that lets Codex act autonomously without giving it

4unrestricted access to your machine. When Codex runs local commands in the4unrestricted access to your machine. When Codex runs local commands in the

5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a

6constrained environment instead of running with full access by default.6constrained environment instead of running with full access by default.

21those commands inherit the same sandbox boundaries.21those commands inherit the same sandbox boundaries.

22 22 

23Codex uses platform-native enforcement on each OS. The implementation differs23Codex uses platform-native enforcement on each OS. The implementation differs

24between macOS, Linux, WSL, and native Windows, but the idea is the same across24between macOS, Linux, WSL2, and native Windows, but the idea is the same across

25surfaces: give the agent a bounded place to work so routine tasks can run25surfaces: give the agent a bounded place to work so routine tasks can run

26autonomously inside clear limits.26autonomously inside clear limits.

27 27 

28## Why it matters28## Why it matters

29 29 

30Sandboxing reduces approval fatigue. Instead of asking you to confirm every30The sandbox reduces approval fatigue. Instead of asking you to confirm every

31low-risk command, Codex can read files, make edits, and run routine project31low-risk command, Codex can read files, make edits, and run routine project

32commands within the boundary you already approved.32commands within the boundary you already approved.

33 33 

34It also gives you a clearer trust model for agentic work. You are not just34It also gives you a clearer trust model for agentic work. You aren't just

35trusting the agent's intentions; you are trusting that the agent is operating35trusting the agent's intentions; you are trusting that the agent is operating

36inside enforced limits. That makes it easier to let Codex work independently36inside enforced limits. That makes it easier to let Codex work independently

37while still knowing when it will stop and ask for help.37while still knowing when it will stop and ask for help.

60sudo dnf install bubblewrap60sudo dnf install bubblewrap

61```61```

62 62 

63Codex uses the system `bwrap` at `/usr/bin/bwrap` when it is available. If it63Codex uses the first `bwrap` executable it finds on `PATH`. If no `bwrap`

64is missing, Codex falls back to a bundled helper, but that helper requires64executable is available, Codex falls back to a bundled helper, but that helper

65unprivileged user namespaces. Installing your distro’s `bubblewrap` package is65requires support for unprivileged user namespace creation. Installing the

66the most reliable setup.66distribution package that provides `bwrap` keeps this setup reliable.

67 67 

68Codex surfaces a startup warning when `bwrap` is missing or cannot create user68Codex surfaces a startup warning when `bwrap` is missing or when the helper

69namespaces. On distributions that restrict them with AppArmor, you can enable69can't create the needed user namespace. On distributions that restrict this

70them with:70AppArmor setting, prefer loading the `bwrap` AppArmor profile so `bwrap` can

71keep working without disabling the restriction globally.

72 

73**Ubuntu AppArmor note:** On Ubuntu 25.04, installing `bubblewrap` from

74 Ubuntu's package repository should work without extra AppArmor setup. The

75 `bwrap-userns-restrict` profile ships in the `apparmor` package at

76 `/etc/apparmor.d/bwrap-userns-restrict`.

77 

78On Ubuntu 24.04, Codex may still warn that it can't create the needed user

79namespace after `bubblewrap` is installed. Copy and load the extra profile:

80 

81```bash

82sudo apt update

83sudo apt install apparmor-profiles apparmor-utils

84sudo install -m 0644 \

85 /usr/share/apparmor/extra-profiles/bwrap-userns-restrict \

86 /etc/apparmor.d/bwrap-userns-restrict

87sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict

88```

89 

90`apparmor_parser -r` loads the profile into the kernel without a reboot. You

91can also reload all AppArmor profiles:

92 

93```bash

94sudo systemctl reload apparmor.service

95```

96 

97If that profile is unavailable or does not resolve the issue, you can disable

98the AppArmor unprivileged user namespace restriction with:

71 99 

72```bash100```bash

73sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0101sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

99 127 

100At a high level, the common sandbox modes are:128At a high level, the common sandbox modes are:

101 129 

102- `read-only`: Codex can inspect files, but it cannot edit files or run130- `read-only`: Codex can inspect files, but it can't edit files or run

103 commands without approval.131 commands without approval.

104- `workspace-write`: Codex can read files, edit within the workspace, and run132- `workspace-write`: Codex can read files, edit within the workspace, and run

105 routine local commands inside that boundary. This is the default low-friction133 routine local commands inside that boundary. This is the default low-friction

110 138 

111The common approval policies are:139The common approval policies are:

112 140 

113- `untrusted`: Codex asks before running commands that are not in its trusted141- `untrusted`: Codex asks before running commands that aren't in its trusted

114 set.142 set.

115- `on-request`: Codex works inside the sandbox by default and asks when it143- `on-request`: Codex works inside the sandbox by default and asks when it

116 needs to go beyond that boundary.144 needs to go beyond that boundary.

117- `never`: Codex does not stop for approval prompts.145- `never`: Codex doesn't stop for approval prompts.

118 146 

119Full access means using `sandbox_mode = "danger-full-access"` together with147Full access means using `sandbox_mode = "danger-full-access"` together with

120`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local148`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local

124If you need Codex to work across more than one directory, writable roots let152If you need Codex to work across more than one directory, writable roots let

125you extend the places it can modify without removing the sandbox entirely. If153you extend the places it can modify without removing the sandbox entirely. If

126you need a broader or narrower trust boundary, adjust the default sandbox mode154you need a broader or narrower trust boundary, adjust the default sandbox mode

127and approval policy instead of relying on ad hoc exceptions.155and approval policy instead of relying on one-off exceptions.

156 

157For reusable permission sets, set `default_permissions` to a named profile and

158define `[permissions.<name>.filesystem]` or `[permissions.<name>.network]`.

159Managed network profiles use map tables such as

160`[permissions.<name>.network.domains]` and

161`[permissions.<name>.network.unix_sockets]` for domain and socket rules.

162Filesystem profiles can also deny reads for exact paths or glob patterns by

163setting matching entries to `"none"`; use this to keep files such as local

164secrets unreadable without turning off workspace writes.

128 165 

129When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules166When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules

130let you allow, prompt, or forbid command prefixes outside the sandbox, which is167let you allow, prompt, or forbid command prefixes outside the sandbox, which is

133[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the170[Codex app features](https://developers.openai.com/codex/app/features#approvals-and-sandboxing), and for the

134IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).171IDE-specific settings entry points, see [Codex IDE extension settings](https://developers.openai.com/codex/ide/settings).

135 172 

173Automatic review, when available, doesn't change the sandbox boundary. It

174reviews approval requests, such as sandbox escalations or network access, while

175actions already allowed inside the sandbox run without extra review. See

176[Automatic approval reviews](https://developers.openai.com/codex/agent-approvals-security#automatic-approval-reviews)

177for the policy behavior.

178 

136Platform details live in the platform-specific docs. For native Windows setup,179Platform details live in the platform-specific docs. For native Windows setup,

137behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin180behavior, and troubleshooting, see [Windows](https://developers.openai.com/codex/windows). For admin

138requirements and organization-level constraints on sandboxing and approvals, see181requirements and organization-level constraints on sandboxing and approvals, see