concepts/sandboxing.md +3 −0
131Managed network profiles use map tables such as131Managed network profiles use map tables such as
132`[permissions.<name>.network.domains]` and132`[permissions.<name>.network.domains]` and
133`[permissions.<name>.network.unix_sockets]` for domain and socket rules.133`[permissions.<name>.network.unix_sockets]` for domain and socket rules.
134Filesystem profiles can also deny reads for exact paths or glob patterns by
135setting matching entries to `"none"`; use this to keep files such as local
136secrets unreadable without turning off workspace writes.
134 137
135When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules138When a workflow needs a specific exception, use [rules](https://developers.openai.com/codex/rules). Rules
136let you allow, prompt, or forbid command prefixes outside the sandbox, which is139let you allow, prompt, or forbid command prefixes outside the sandbox, which is