concepts/sandboxing.md Codex Docs, 2026-04-29 00:50 UTC → 2026-05-07 20:02 UTC

52 52 

53On **Linux and WSL2**, install `bubblewrap` with your package manager first:53On **Linux and WSL2**, install `bubblewrap` with your package manager first:

54 54 

55<Tabs

56 id="codex-sandboxing-prerequisites"

57 param="sandbox-os"

58 tabs={[

59 { id: "ubuntu-debian", label: "Ubuntu/Debian" },

60 { id: "fedora", label: "Fedora" },

61 ]}

62>

63 <div slot="ubuntu-debian">

64 

55```bash65```bash

56sudo apt install bubblewrap66sudo apt install bubblewrap

57```67```

58 68 

69 </div>

70 

71 <div slot="fedora">

72 

59```bash73```bash

60sudo dnf install bubblewrap74sudo dnf install bubblewrap

61```75```

62 76 

77 </div>

78</Tabs>

79 

63Codex uses the first `bwrap` executable it finds on `PATH`. If no `bwrap`80Codex uses the first `bwrap` executable it finds on `PATH`. If no `bwrap`

64executable is available, Codex falls back to a bundled helper, but that helper81executable is available, Codex falls back to a bundled helper, but that helper

65requires support for unprivileged user namespace creation. Installing the82requires support for unprivileged user namespace creation. Installing the

109the composer or chat input. That selector lets you rely on Codex's default126the composer or chat input. That selector lets you rely on Codex's default

110permissions, switch to full access, or use your custom configuration.127permissions, switch to full access, or use your custom configuration.

111 128 

112![Codex app permissions selector showing Default permissions, Full access, and Custom (config.toml)](/images/codex/app/permissions-selector-light.webp)129<div class="not-prose max-w-[22rem] mr-auto mb-6">

130 <img src="https://developers.openai.com/images/codex/app/permissions-selector-light.webp"

131 alt="Codex app permissions selector showing Default permissions, Full access, and Custom (config.toml)"

132 class="block h-auto w-full mx-0!"

133 />

134</div>

113 135 

114In the CLI, use [`/permissions`](https://developers.openai.com/codex/cli/slash-commands#update-permissions-with-permissions)136In the CLI, use [`/permissions`](https://developers.openai.com/codex/cli/slash-commands#update-permissions-with-permissions)

115to switch modes during a session.137to switch modes during a session.

145- `never`: Codex doesn't stop for approval prompts.167- `never`: Codex doesn't stop for approval prompts.

146 168 

147Full access means using `sandbox_mode = "danger-full-access"` together with169Full access means using `sandbox_mode = "danger-full-access"` together with

148`approval_policy = "never"`. By contrast, `--full-auto` is the lower-risk local170`approval_policy = "never"`. By contrast, the lower-risk local automation

149automation preset: `sandbox_mode = "workspace-write"` and171preset is `sandbox_mode = "workspace-write"` together with

150`approval_policy = "on-request"`.172`approval_policy = "on-request"`, or the matching CLI flags

173`--sandbox workspace-write --ask-for-approval on-request`.

151 174 

152If you need Codex to work across more than one directory, writable roots let175If you need Codex to work across more than one directory, writable roots let

153you extend the places it can modify without removing the sandbox entirely. If176you extend the places it can modify without removing the sandbox entirely. If