Platform sandboxing details
The mechanism Codex uses to implement the sandbox policy depends on your OS:
- macOS 12+ uses Apple Seatbelt and runs commands using
sandbox-execwith a profile (-p) that corresponds to the--sandboxthat was specified. - Linux uses a combination of Landlock/seccomp APIs to enforce the
sandboxconfiguration.
Note that when running Linux in a containerized environment such as Docker, sandboxing may not work if the host/container configuration does not support the necessary Landlock/seccomp APIs. In such cases, we recommend configuring your Docker container so that it provides the sandbox guarantees you are looking for and then running codex with --sandbox danger-full-access (or, more simply, the --dangerously-bypass-approvals-and-sandbox flag) within your container.