concepts/sandboxing.md +50 −13
11# Sandboxing – Codex# Sandbox
2 2
33Sandboxing is the boundary that lets Codex act autonomously without giving itThe sandbox is the boundary that lets Codex act autonomously without giving it
4unrestricted access to your machine. When Codex runs local commands in the4unrestricted access to your machine. When Codex runs local commands in the
5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a5**Codex app**, **IDE extension**, or **CLI**, those commands run inside a
6constrained environment instead of running with full access by default.6constrained environment instead of running with full access by default.
27 27
28## Why it matters28## Why it matters
29 29
3030Sandboxing reduces approval fatigue. Instead of asking you to confirm everyThe sandbox reduces approval fatigue. Instead of asking you to confirm every
31low-risk command, Codex can read files, make edits, and run routine project31low-risk command, Codex can read files, make edits, and run routine project
32commands within the boundary you already approved.32commands within the boundary you already approved.
33 33
3434It also gives you a clearer trust model for agentic work. You are not justIt also gives you a clearer trust model for agentic work. You aren't just
35trusting the agent's intentions; you are trusting that the agent is operating35trusting the agent's intentions; you are trusting that the agent is operating
36inside enforced limits. That makes it easier to let Codex work independently36inside enforced limits. That makes it easier to let Codex work independently
37while still knowing when it will stop and ask for help.37while still knowing when it will stop and ask for help.
62 62
63Codex uses the first `bwrap` executable it finds on `PATH`. If no `bwrap`63Codex uses the first `bwrap` executable it finds on `PATH`. If no `bwrap`
64executable is available, Codex falls back to a bundled helper, but that helper64executable is available, Codex falls back to a bundled helper, but that helper
6565requires unprivileged user namespaces. Installing your distro’s `bubblewrap`requires support for unprivileged user namespace creation. Installing the
6666package keeps this setup reliable.distribution package that provides `bwrap` keeps this setup reliable.
67 67
6868Codex surfaces a startup warning when `bwrap` is missing or cannot create userCodex surfaces a startup warning when `bwrap` is missing or when the helper
6969namespaces. On distributions that restrict them with AppArmor, you can enablecan't create the needed user namespace. On distributions that restrict this
7070them with:AppArmor setting, prefer loading the `bwrap` AppArmor profile so `bwrap` can
71keep working without disabling the restriction globally.
72
73**Ubuntu AppArmor note:** On Ubuntu 25.04, installing `bubblewrap` from
74 Ubuntu's package repository should work without extra AppArmor setup. The
75 `bwrap-userns-restrict` profile ships in the `apparmor` package at
76 `/etc/apparmor.d/bwrap-userns-restrict`.
77
78On Ubuntu 24.04, Codex may still warn that it can't create the needed user
79namespace after `bubblewrap` is installed. Copy and load the extra profile:
80
81```bash
82sudo apt update
83sudo apt install apparmor-profiles apparmor-utils
84sudo install -m 0644 \
85 /usr/share/apparmor/extra-profiles/bwrap-userns-restrict \
86 /etc/apparmor.d/bwrap-userns-restrict
87sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict
88```
89
90`apparmor_parser -r` loads the profile into the kernel without a reboot. You
91can also reload all AppArmor profiles:
92
93```bash
94sudo systemctl reload apparmor.service
95```
96
97If that profile is unavailable or does not resolve the issue, you can disable
98the AppArmor unprivileged user namespace restriction with:
71 99
72```bash100```bash
73sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0101sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
99 127
100At a high level, the common sandbox modes are:128At a high level, the common sandbox modes are:
101 129
102130- `read-only`: Codex can inspect files, but it cannot edit files or run- `read-only`: Codex can inspect files, but it can't edit files or run
103 commands without approval.131 commands without approval.
104- `workspace-write`: Codex can read files, edit within the workspace, and run132- `workspace-write`: Codex can read files, edit within the workspace, and run
105 routine local commands inside that boundary. This is the default low-friction133 routine local commands inside that boundary. This is the default low-friction
110 138
111The common approval policies are:139The common approval policies are:
112 140
113141- `untrusted`: Codex asks before running commands that are not in its trusted- `untrusted`: Codex asks before running commands that aren't in its trusted
114 set.142 set.
115- `on-request`: Codex works inside the sandbox by default and asks when it143- `on-request`: Codex works inside the sandbox by default and asks when it
116 needs to go beyond that boundary.144 needs to go beyond that boundary.
117145- `never`: Codex does not stop for approval prompts.- `never`: Codex doesn't stop for approval prompts.
118 146
119Full access means using `sandbox_mode = "danger-full-access"` together with147Full access means using `sandbox_mode = "danger-full-access"` together with
120`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local148`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local
124If you need Codex to work across more than one directory, writable roots let152If you need Codex to work across more than one directory, writable roots let
125you extend the places it can modify without removing the sandbox entirely. If153you extend the places it can modify without removing the sandbox entirely. If
126you need a broader or narrower trust boundary, adjust the default sandbox mode154you need a broader or narrower trust boundary, adjust the default sandbox mode
127155and approval policy instead of relying on ad hoc exceptions.and approval policy instead of relying on one-off exceptions.
156
157For reusable permission sets, set `default_permissions` to a named profile and
158define `[permissions.<name>.filesystem]` or `[permissions.<name>.network]`.
159Managed network profiles use map tables such as
160`[permissions.<name>.network.domains]` and
161`[permissions.<name>.network.unix_sockets]` for domain and socket rules.
162Filesystem profiles can also deny reads for exact paths or glob patterns by
163setting matching entries to `"none"`; use this to keep files such as local
164secrets unreadable without turning off workspace writes.
128 165
129When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules166When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules
130let you allow, prompt, or forbid command prefixes outside the sandbox, which is167let you allow, prompt, or forbid command prefixes outside the sandbox, which is