Codex CLI Sandboxing: Seatbelt, Bubblewrap, Landlock, and Docker
Codex CLI Sandboxing: Seatbelt, Bubblewrap, Landlock, and Docker
Codex CLI's read-only, workspace-write, and danger-full-access modes are policy settings. The actual isolation is enforced by platform backends. This article connects the source-level view with the common macOS and Linux sandbox primitives.
Architecture
Command request
↓
Approval policy
↓
Sandbox type
↓
Seatbelt / Bubblewrap + seccomp / Restricted TokenApproval answers whether an action needs confirmation; sandboxing limits what an approved process can touch.
macOS Seatbelt
The macOS backend loads an SBPL profile through sandbox-exec. A profile starts from denied capabilities and adds exceptions for the workspace, temporary directories, interpreters, and network policy.
read-onlydoes not allow workspace writes.workspace-writeopens the workspace and explicitwritable_roots.- Network access is a separate policy; write access does not imply network access.
- Child processes generally inherit the process restriction.
Linux backends
Bubblewrap builds the process filesystem view with read-only system mounts and writable workspace bindings. seccomp-BPF filters system calls; it is not a path permission system. Landlock provides path-oriented kernel access control and can restrict opening, writing, executing, and deleting files, subject to kernel support.
no_new_privs prevents setuid and file capabilities from granting additional privilege and is an important companion to seccomp and Landlock.
Windows and Docker
The Windows backend uses a Restricted Token together with ACL and child-process rules. Docker Desktop on macOS normally runs Linux containers inside a Linux VM provided by Apple Virtualization.framework. That container/VM boundary is different from Seatbelt restrictions on a host process.
| Mechanism | Main boundary | Typical capability |
|---|---|---|
| Seatbelt | macOS process | Paths, network, capabilities |
| Bubblewrap | Linux process view | Mount, user, network namespaces |
| seccomp | Linux syscalls | Syscall filtering |
| Landlock | Linux filesystem | Path and operation filtering |
| Docker | Container/VM | Namespaces, cgroups, image/network isolation |
Security boundaries and debugging
- A sandbox is not malware detection; an approved program can still damage data inside its allowed scope.
workspace-writeis more than “edit the current file”: builds may write caches, temporary files, and generated output.- Disabling network access does not replace credential hygiene; remove secrets from environment variables and workspace files.
- Privileged containers, host mounts, and the Docker socket can radically change the container boundary.
When a command runs but access fails, check approval policy, sandbox type, writable roots, backend arguments, and distinguish path, syscall, and network denials.
Summary
Codex sandboxing combines policy with platform enforcement. Approval controls interaction risk, while Seatbelt, Bubblewrap, seccomp, Landlock, and Restricted Token enforce the actual boundary.
