# Sandbox Implementations Supported by Codex CLI: macOS, Linux, and Windows > Discover Codex CLI sandbox implementations for macOS Seatbelt, Linux Landlock seccomp, and Windows restricted-token. Secure your code execution across platforms. - Repository: [OpenAI/codex](https://github.com/openai/codex) - Tags: how-to-guide - Published: 2026-03-06 --- **Codex CLI supports three platform-specific sandbox implementations: Seatbelt for macOS, Landlock combined with seccomp for Linux, and a restricted-token sandbox for Windows.** The OpenAI Codex repository provides secure command execution through native operating system isolation mechanisms. Understanding the sandbox implementations supported by Codex CLI ensures developers can safely execute untrusted code across different platforms using the appropriate kernel-level or system-level restrictions. ## Supported Sandbox Platforms Codex CLI routes sandbox requests to platform-specific implementations defined in the `SandboxCommand` enum located in [`codex-rs/cli/src/main.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/main.rs) (lines 37-48). Each implementation leverages native OS security features to restrict resource access. ### macOS Seatbelt Sandbox The **Seatbelt** implementation utilizes macOS's native sandboxing service to enforce strict limits on file system access and network connectivity. This macOS-specific security mechanism prevents sandboxed processes from accessing unauthorized resources. Invoke this sandbox using the `macos` subcommand or its `seatbelt` alias: ```bash codex sandbox macos -- ls -l /tmp ``` Under the hood, the CLI calls `run_command_under_seatbelt` defined in [`codex-rs/cli/src/debug_sandbox.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/debug_sandbox.rs) to configure and launch the Seatbelt profile. ### Linux Landlock and Seccomp Sandbox For Linux systems, Codex CLI implements a **Landlock** LSM (Linux Security Modules) combined with **seccomp** (secure computing mode) sandbox. This dual-layer approach restricts filesystem access through Landlock while filtering dangerous system calls via seccomp. Access this implementation using the `linux` subcommand or the `landlock` alias: ```bash codex sandbox linux -- env | grep HOME ``` The underlying logic resides in `run_command_under_landlock` within [`codex-rs/cli/src/debug_sandbox.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/debug_sandbox.rs), which sets up the Landlock ruleset and seccomp filters before executing the target command. ### Windows Restricted-Token Sandbox On Windows, the CLI employs a **restricted-token** sandbox that creates a token with dropped privileges for the child process. This Windows security primitive limits the command's access rights and capabilities within the operating system. Execute commands under this sandbox using: ```bash codex sandbox windows -- whoami ``` The Windows implementation is handled by `run_command_under_windows` in [`codex-rs/cli/src/debug_sandbox.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/debug_sandbox.rs), which configures the restricted token and associated security descriptors. ## How to Use Codex CLI Sandbox Commands The `codex sandbox` subcommand requires a platform specifier followed by `--` to separate sandbox flags from the target command: ```bash # macOS example with alias codex sandbox seatbelt -- cat /etc/passwd # Linux example with alias codex sandbox landlock -- python script.py # Windows example codex sandbox windows -- dir C:\ ``` According to the source code in [`codex-rs/utils/cli/src/sandbox_mode_cli_arg.rs`](https://github.com/openai/codex/blob/main/codex-rs/utils/cli/src/sandbox_mode_cli_arg.rs), the `--sandbox` flag provides an alternative CLI interface that maps to the same policy enum used by the sandbox subcommand. ## Implementation Architecture The sandbox routing logic spans three critical source files: - **[`codex-rs/cli/src/main.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/main.rs)**: Defines the `SandboxCommand` enum and parses the `codex sandbox` subcommand arguments (lines 37-48). - **[`codex-rs/cli/src/debug_sandbox.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/debug_sandbox.rs)**: Implements the platform-specific launchers: `run_command_under_seatbelt`, `run_command_under_landlock`, and `run_command_under_windows`. - **[`codex-rs/utils/cli/src/sandbox_mode_cli_arg.rs`](https://github.com/openai/codex/blob/main/codex-rs/utils/cli/src/sandbox_mode_cli_arg.rs)**: Provides the `--sandbox` CLI flag that integrates with the sandbox policy system. ## Summary - **macOS** uses the **Seatbelt** sandbox to restrict file and network access. - **Linux** combines **Landlock** and **seccomp** to limit filesystem operations and system calls. - **Windows** employs a **restricted-token** mechanism to drop process privileges. - Execute commands via `codex sandbox -- ` using platform names (`macos`, `linux`, `windows`) or aliases (`seatbelt`, `landlock`). - Implementation logic resides in [`codex-rs/cli/src/debug_sandbox.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/debug_sandbox.rs) with command parsing in [`codex-rs/cli/src/main.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/main.rs). ## Frequently Asked Questions ### Which sandbox implementations are supported by Codex CLI on different operating systems? Codex CLI supports three platform-specific implementations: **Seatbelt** for macOS, **Landlock with seccomp** for Linux, and a **restricted-token** sandbox for Windows. Each implementation uses native OS security primitives appropriate for the platform. ### How do I execute commands inside a Codex CLI sandbox? Use the `codex sandbox` subcommand followed by the platform identifier, then `--`, then your command. For example: `codex sandbox macos -- python script.py`. The `--` separator distinguishes sandbox flags from the command arguments. ### Where is the sandbox logic implemented in the Codex source code? The sandbox command parsing resides in [`codex-rs/cli/src/main.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/main.rs) (lines 37-48), while the platform-specific execution logic is implemented in [`codex-rs/cli/src/debug_sandbox.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/debug_sandbox.rs) through the functions `run_command_under_seatbelt`, `run_command_under_landlock`, and `run_command_under_windows`. ### Can I use shorter aliases instead of full platform names? Yes. The CLI accepts `seatbelt` as an alias for `macos`, `landlock` as an alias for `linux`, and `windows` maps directly to the Windows implementation. These aliases are defined in the `SandboxCommand` enum in [`codex-rs/cli/src/main.rs`](https://github.com/openai/codex/blob/main/codex-rs/cli/src/main.rs).