how-to-guide

Sandbox Implementations Supported by Codex CLI: macOS, Linux, and Windows

March 6, 2026 openai/codex ↗

Codex CLI supports three platform-specific sandbox implementations: Seatbelt for macOS, Landlock combined with seccomp for Linux, and a restricted-token sandbox for Windows.

The OpenAI Codex repository provides secure command execution through native operating system isolation mechanisms. Understanding the sandbox implementations supported by Codex CLI ensures developers can safely execute untrusted code across different platforms using the appropriate kernel-level or system-level restrictions.

Supported Sandbox Platforms

Codex CLI routes sandbox requests to platform-specific implementations defined in the SandboxCommand enum located in codex-rs/cli/src/main.rs (lines 37-48). Each implementation leverages native OS security features to restrict resource access.

macOS Seatbelt Sandbox

The Seatbelt implementation utilizes macOS's native sandboxing service to enforce strict limits on file system access and network connectivity. This macOS-specific security mechanism prevents sandboxed processes from accessing unauthorized resources.

Invoke this sandbox using the macos subcommand or its seatbelt alias:

codex sandbox macos -- ls -l /tmp

Under the hood, the CLI calls run_command_under_seatbelt defined in codex-rs/cli/src/debug_sandbox.rs to configure and launch the Seatbelt profile.

Linux Landlock and Seccomp Sandbox

For Linux systems, Codex CLI implements a Landlock LSM (Linux Security Modules) combined with seccomp (secure computing mode) sandbox. This dual-layer approach restricts filesystem access through Landlock while filtering dangerous system calls via seccomp.

Access this implementation using the linux subcommand or the landlock alias:

codex sandbox linux -- env | grep HOME

The underlying logic resides in run_command_under_landlock within codex-rs/cli/src/debug_sandbox.rs, which sets up the Landlock ruleset and seccomp filters before executing the target command.

Windows Restricted-Token Sandbox

On Windows, the CLI employs a restricted-token sandbox that creates a token with dropped privileges for the child process. This Windows security primitive limits the command's access rights and capabilities within the operating system.

Execute commands under this sandbox using:

codex sandbox windows -- whoami

The Windows implementation is handled by run_command_under_windows in codex-rs/cli/src/debug_sandbox.rs, which configures the restricted token and associated security descriptors.

How to Use Codex CLI Sandbox Commands

The codex sandbox subcommand requires a platform specifier followed by -- to separate sandbox flags from the target command:


# macOS example with alias

codex sandbox seatbelt -- cat /etc/passwd

# Linux example with alias  

codex sandbox landlock -- python script.py

# Windows example

codex sandbox windows -- dir C:\

According to the source code in codex-rs/utils/cli/src/sandbox_mode_cli_arg.rs, the --sandbox flag provides an alternative CLI interface that maps to the same policy enum used by the sandbox subcommand.

Implementation Architecture

The sandbox routing logic spans three critical source files:

codex-rs/cli/src/main.rs: Defines the SandboxCommand enum and parses the codex sandbox subcommand arguments (lines 37-48).
codex-rs/cli/src/debug_sandbox.rs: Implements the platform-specific launchers: run_command_under_seatbelt, run_command_under_landlock, and run_command_under_windows.
codex-rs/utils/cli/src/sandbox_mode_cli_arg.rs: Provides the --sandbox CLI flag that integrates with the sandbox policy system.

Summary

macOS uses the Seatbelt sandbox to restrict file and network access.
Linux combines Landlock and seccomp to limit filesystem operations and system calls.
Windows employs a restricted-token mechanism to drop process privileges.
Execute commands via codex sandbox <platform> -- <command> using platform names (macos, linux, windows) or aliases (seatbelt, landlock).
Implementation logic resides in codex-rs/cli/src/debug_sandbox.rs with command parsing in codex-rs/cli/src/main.rs.

Frequently Asked Questions

Which sandbox implementations are supported by Codex CLI on different operating systems?

Codex CLI supports three platform-specific implementations: Seatbelt for macOS, Landlock with seccomp for Linux, and a restricted-token sandbox for Windows. Each implementation uses native OS security primitives appropriate for the platform.

How do I execute commands inside a Codex CLI sandbox?

Use the codex sandbox subcommand followed by the platform identifier, then --, then your command. For example: codex sandbox macos -- python script.py. The -- separator distinguishes sandbox flags from the command arguments.

Where is the sandbox logic implemented in the Codex source code?

The sandbox command parsing resides in codex-rs/cli/src/main.rs (lines 37-48), while the platform-specific execution logic is implemented in codex-rs/cli/src/debug_sandbox.rs through the functions run_command_under_seatbelt, run_command_under_landlock, and run_command_under_windows.

Can I use shorter aliases instead of full platform names?

Yes. The CLI accepts seatbelt as an alias for macos, landlock as an alias for linux, and windows maps directly to the Windows implementation. These aliases are defined in the SandboxCommand enum in codex-rs/cli/src/main.rs.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:

curl -s "https://instagit.com/install.md"

Add to your MCP client configuration:

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}

Ask your agent:

"Use Instagit MCP to understand how openai/codex works."

Works with

Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →