TL;DR
Modern coding agents gain power from permissive tools like an interactive bash environment, but that same expressiveness creates serious risks. The Codex CLI defaults to sandboxed execution using macOS Seatbelt or Linux helpers and exposes three access modes (Read Only, Auto, Full), illustrating trade-offs between safety and convenience.
What happened
Recent work on agent sandboxes examines how powerful coding assistants obtain and are constrained by platform permissions. Agents rely heavily on a general-purpose shell tool that can run arbitrary commands, from ad hoc Python snippets to network requests, making it effectively Turing-complete and capable of damaging operations. While full isolation via containers is presented as the safest option, the author observes that few people actually run agents inside VM/container sandboxes. As a middle ground, some services use command whitelists that require human approval for specific commands; these are useful but brittle and impractical when a user is not present. The Codex CLI was analyzed in depth: it launches in a workspace-limited default mode and routes every tool call through a central dispatcher that chooses between running commands raw, under macOS Seatbelt, or via a Linux seccomp helper. On macOS the implementation injects Seatbelt policies, enumerates writable roots while marking .git directories read-only, and either includes or omits network permissions based on policy.
Why it matters
- Agents’ access to expressive shell tools increases both productivity and the risk of data exposure or destructive commands.
- Many users do not run agents in full virtualization despite that being the safest approach, leaving gaps in practical security.
- Platform-specific sandboxing (macOS Seatbelt, Linux primitives) forces trade-offs: coarse network control, policy complexity, and potential configuration mistakes.
- Default sandboxing behavior and clear, enforceable policies can change how developers trust and deploy coding agents in real projects.
Key facts
- Interactive bash is the most expressive and most dangerous tool available to coding agents; it can run arbitrary code, compile, and access networks.
- Full virtualization (containers/VMs) is presented as the safest execution model, but the author believes few users actually do this.
- Command whitelists (used by services like Claude Code and Cursor in normal modes) ask humans to approve commands but are brittle and impractical if the user is absent.
- Codex CLI exposes three access modes: Read Only (reads only; approvals required for edits/commands/network), Auto (workspace read/edit/command allowed; approvals needed for external workspace or network), and Full Access (no approvals, network allowed).
- Codex’s execution pipeline wraps the CLI entrypoint and routes every tool call through a dispatcher that selects SandboxType for each command.
- On macOS Codex uses the Seatbelt sandboxing framework; it enumerates writable roots from a SandboxPolicy and carves out .git directories as read-only.
- Network permissions in the Seatbelt implementation are binary: policies either include explicit network allowances or omit them, relying on Seatbelt’s deny-by-default behavior.
- Linux sandboxing options referenced include Landlock, seccomp-BPF, namespaces, and cgroups; different primitives provide filesystem, syscall, network, and resource controls.
- Seatbelt is described as still widely used despite Apple marking it deprecated, and misconfigured policies can leave security holes such as exposing user dotfiles.
What to watch next
- Whether more users and tools begin defaulting to containerized or VM-based sandboxes for agent execution — not confirmed in the source
- Efforts to introduce finer-grained, domain-level network controls for agent sandboxes (e.g., allow only specific APIs) — not confirmed in the source
- Tooling or policy frameworks that reduce human error when authoring Seatbelt or other OS sandbox policies — not confirmed in the source
Quick glossary
- Seatbelt: Apple’s lower-level sandboxing framework used to enforce process-level restrictions on macOS; App Sandbox is built on top of it.
- seccomp-BPF: A Linux kernel feature that filters which system calls a process may make, used to limit process capabilities.
- Landlock: A Linux security module (available in newer kernels) that provides capability-based filesystem access control for processes.
- Command whitelist: A human-in-the-loop control where specific commands must be approved before an agent can run them in the future.
- Containerization: Running software inside isolated user-space instances (containers) to separate processes, filesystems, and resources from the host system.
Reader FAQ
Are coding agents sandboxed by default?
For the Codex CLI, the default mode limits the agent to the current folder and routes commands through a sandboxing dispatcher; the implementation makes sandboxing the default path.
Does Codex use Docker for sandboxing on macOS?
No — on macOS Codex enforces restrictions using native Seatbelt APIs rather than Docker.
Do command whitelists fully solve the safety problem?
They help but are brittle: whitelists can block legitimate actions after environment changes and are impractical when a human approver is not present.
Is Seatbelt still used even though it’s deprecated?
Yes—the source notes Seatbelt remains widely used across system software and third-party programs despite Apple marking it deprecated.
A deep dive on agent sandboxes September 26, 2025 The modern generation of coding agents are powerful in part because of their access permissions. They have a few built-in functions…
Sources
- A deep dive on agent sandboxes
- Security
- Sandbox Architecture Overview | openai/codex
- The situation on macOS is so frustrating. sandbox-exec …
Related posts
- Meta-backed Hupo pivots from mental wellness to AI sales coaching, raises $10M
- Google pulls some AI health summaries after probe finds dangerous errors
- WorkJourney: AI-powered private work journal for employees and managers