feat: redesign sandbox config (#1373)

This is a major redesign of how sandbox configuration works and aims to
fix #1248. Specifically, it
replaces `sandbox_permissions` in `config.toml` (and the
`-s`/`--sandbox-permission` CLI flags) with a "table" with effectively
three variants:

```toml
# Safest option: full disk is read-only, but writes and network access are disallowed.
[sandbox]
mode = "read-only"

# The cwd of the Codex task is writable, as well as $TMPDIR on macOS.
# writable_roots can be used to specify additional writable folders.
[sandbox]
mode = "workspace-write"
writable_roots = []  # Optional, defaults to the empty list.
network_access = false  # Optional, defaults to false.

# Disable sandboxing: use at your own risk!!!
[sandbox]
mode = "danger-full-access"
```

This should make sandboxing easier to reason about. While we have
dropped support for `-s`, the way it works now is:

- no flags => `read-only`
- `--full-auto` => `workspace-write`
- currently, there is no way to specify `danger-full-access` via a CLI
flag, but we will revisit that as part of
#1254

Outstanding issue:

- As noted in the `TODO` on `SandboxPolicy::is_unrestricted()`, we are
still conflating sandbox preferences with approval preferences in that
case, which needs to be cleaned up.

Author: bolinfest

codex-rs/Cargo.lock

@@ -1,7 +1,6 @@
 use std::path::PathBuf;
 
 use codex_common::CliConfigOverrides;
-use codex_common::SandboxPermissionOption;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::exec::StdioPolicy;
@@ -20,13 +19,11 @@ pub async fn run_command_under_seatbelt(
 ) -> anyhow::Result<()> {
     let SeatbeltCommand {
         full_auto,
-        sandbox,
         config_overrides,
         command,
     } = command;
     run_command_under_sandbox(
         full_auto,
-        sandbox,
         command,
         config_overrides,
         codex_linux_sandbox_exe,
@@ -41,13 +38,11 @@ pub async fn run_command_under_landlock(
 ) -> anyhow::Result<()> {
     let LandlockCommand {
         full_auto,
-        sandbox,
         config_overrides,
         command,
     } = command;
     run_command_under_sandbox(
         full_auto,
-        sandbox,
         command,
         config_overrides,
         codex_linux_sandbox_exe,
@@ -63,13 +58,12 @@ enum SandboxType {
 
 async fn run_command_under_sandbox(
     full_auto: bool,
-    sandbox: SandboxPermissionOption,
     command: Vec<String>,
     config_overrides: CliConfigOverrides,
     codex_linux_sandbox_exe: Option<PathBuf>,
     sandbox_type: SandboxType,
 ) -> anyhow::Result<()> {
-    let sandbox_policy = create_sandbox_policy(full_auto, sandbox);
+    let sandbox_policy = create_sandbox_policy(full_auto);
     let cwd = std::env::current_dir()?;
     let config = Config::load_with_cli_overrides(
         config_overrides
@@ -110,13 +104,10 @@ async fn run_command_under_sandbox(
     handle_exit_status(status);
 }
 
-pub fn create_sandbox_policy(full_auto: bool, sandbox: SandboxPermissionOption) -> SandboxPolicy {
+pub fn create_sandbox_policy(full_auto: bool) -> SandboxPolicy {
     if full_auto {
-        SandboxPolicy::new_full_auto_policy()
+        SandboxPolicy::new_workspace_write_policy()
     } else {
-        match sandbox.permissions.map(Into::into) {
-            Some(sandbox_policy) => sandbox_policy,
-            None => SandboxPolicy::new_read_only_policy(),
-        }
+        SandboxPolicy::new_read_only_policy()
     }
 }

codex-rs/cli/src/debug_sandbox.rs

@@ -5,17 +5,13 @@ pub mod proto;
 
 use clap::Parser;
 use codex_common::CliConfigOverrides;
-use codex_common::SandboxPermissionOption;
 
 #[derive(Debug, Parser)]
 pub struct SeatbeltCommand {
     /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
     #[arg(long = "full-auto", default_value_t = false)]
     pub full_auto: bool,
 
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
-
     #[clap(skip)]
     pub config_overrides: CliConfigOverrides,
 
@@ -30,9 +26,6 @@ pub struct LandlockCommand {
     #[arg(long = "full-auto", default_value_t = false)]
     pub full_auto: bool,
 
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
-
     #[clap(skip)]
     pub config_overrides: CliConfigOverrides,
 

codex-rs/cli/src/lib.rs

@@ -1,13 +1,9 @@
 //! Standard type to use with the `--approval-mode` CLI option.
 //! Available when the `cli` feature is enabled for the crate.
 
-use clap::ArgAction;
-use clap::Parser;
 use clap::ValueEnum;
 
-use codex_core::config::parse_sandbox_permission_with_base_path;
 use codex_core::protocol::AskForApproval;
-use codex_core::protocol::SandboxPermission;
 
 #[derive(Clone, Copy, Debug, ValueEnum)]
 #[value(rename_all = "kebab-case")]
@@ -36,38 +32,3 @@ impl From<ApprovalModeCliArg> for AskForApproval {
         }
     }
 }
-
-#[derive(Parser, Debug)]
-pub struct SandboxPermissionOption {
-    /// Specify this flag multiple times to specify the full set of permissions
-    /// to grant to Codex.
-    ///
-    /// ```shell
-    /// codex -s disk-full-read-access \
-    ///       -s disk-write-cwd \
-    ///       -s disk-write-platform-user-temp-folder \
-    ///       -s disk-write-platform-global-temp-folder
-    /// ```
-    ///
-    /// Note disk-write-folder takes a value:
-    ///
-    /// ```shell
-    ///     -s disk-write-folder=$HOME/.pyenv/shims
-    /// ```
-    ///
-    /// These permissions are quite broad and should be used with caution:
-    ///
-    /// ```shell
-    ///     -s disk-full-write-access
-    ///     -s network-full-access
-    /// ```
-    #[arg(long = "sandbox-permission", short = 's', action = ArgAction::Append, value_parser = parse_sandbox_permission)]
-    pub permissions: Option<Vec<SandboxPermission>>,
-}
-
-/// Custom value-parser so we can keep the CLI surface small *and*
-/// still handle the parameterised `disk-write-folder` case.
-fn parse_sandbox_permission(raw: &str) -> std::io::Result<SandboxPermission> {
-    let base_path = std::env::current_dir()?;
-    parse_sandbox_permission_with_base_path(raw, base_path)
-}

codex-rs/common/src/approval_mode_cli_arg.rs

@@ -6,8 +6,6 @@ pub mod elapsed;
 
 #[cfg(feature = "cli")]
 pub use approval_mode_cli_arg::ApprovalModeCliArg;
-#[cfg(feature = "cli")]
-pub use approval_mode_cli_arg::SandboxPermissionOption;
 
 #[cfg(any(feature = "cli", test))]
 mod config_override;

codex-rs/common/src/lib.rs

@@ -106,7 +106,6 @@ Here is an example of a `config.toml` that defines multiple profiles:
 ```toml
 model = "o3"
 approval_policy = "unless-allow-listed"
-sandbox_permissions = ["disk-full-read-access"]
 disable_response_storage = false
 
 # Setting `profile` is equivalent to specifying `--profile o3` on the command
@@ -170,31 +169,42 @@ To disable reasoning summaries, set `model_reasoning_summary` to `"none"` in you
 model_reasoning_summary = "none"  # disable reasoning summaries
 ```
 
-## sandbox_permissions
+## sandbox
 
-List of permissions to grant to the sandbox that Codex uses to execute untrusted commands:
+The `sandbox` configuration determines the _sandbox policy_ that Codex uses to execute untrusted commands. The `mode` determines the "base policy." Currently, only `workspace-write` supports additional configuration options, but this may change in the future.
+
+The default policy is `read-only`, which means commands can read any file on disk, but attempts to write a file or access the network will be blocked.
 
 ```toml
-# This is comparable to --full-auto in the TypeScript Codex CLI, though
-# specifying `disk-write-platform-global-temp-folder` adds /tmp as a writable
-# folder in addition to $TMPDIR.
-sandbox_permissions = [
-    "disk-full-read-access",
-    "disk-write-platform-user-temp-folder",
-    "disk-write-platform-global-temp-folder",
-    "disk-write-cwd",
-]
+[sandbox]
+mode = "read-only"
 ```
 
-To add additional writable folders, use `disk-write-folder`, which takes a parameter (this can be specified multiple times):
+A more relaxed policy is `workspace-write`. When specified, the current working directory for the Codex task will be writable (as well as `$TMPDIR` on macOS). Note that the CLI defaults to using `cwd` where it was spawned, though this can be overridden using `--cwd/-C`.
 
 ```toml
-sandbox_permissions = [
-    # ...
-    "disk-write-folder=/Users/mbolin/.pyenv/shims",
+[sandbox]
+mode = "workspace-write"
+
+# By default, only the cwd for the Codex session will be writable (and $TMPDIR on macOS),
+# but you can specify additional writable folders in this array.
+writable_roots = [
+    "/tmp",
 ]
+network_access = false  # Like read-only, this also defaults to false and can be omitted.
 ```
 
+To disable sandboxing altogether, specify `danger-full-access` like so:
+
+```toml
+[sandbox]
+mode = "danger-full-access"
+```
+
+This is reasonable to use if Codex is running in an environment that provides its own sandboxing (such as a Docker container) such that further sandboxing is unnecessary.
+
+Though using this option may also be necessary if you try to use Codex in environments where its native sandboxing mechanisms are unsupported, such as older Linux kernels or on Windows.
+
 ## mcp_servers
 
 Defines the list of MCP servers that Codex can consult for tool use. Currently, only servers that are launched by executing a program that communicate over stdio are supported. For servers that use the SSE transport, consider an adapter like [mcp-proxy](https://github.com/sparfenyuk/mcp-proxy).