diff --git a/README.md b/README.md index 235e2e33..ab6cf3a7 100644 --- a/README.md +++ b/README.md @@ -137,13 +137,12 @@ The hardening mechanism Codex uses depends on your OS: - Outbound network is _fully blocked_ by default – even if a child process tries to `curl` somewhere it will fail. -- **Linux** – we recommend using Docker for sandboxing, where Codex launches itself inside a **minimal +- **Linux** – there is no sandboxing by default. + We recommend using Docker for sandboxing, where Codex launches itself inside a **minimal container image** and mounts your repo _read/write_ at the same path. A custom `iptables`/`ipset` firewall script denies all egress except the OpenAI API. This gives you deterministic, reproducible runs without needing - root on the host. You can read more in [`run_in_container.sh`](./codex-cli/scripts/run_in_container.sh) - -Both approaches are _transparent_ to everyday usage – you still run `codex` from your repo root and approve/reject steps as usual. + root on the host. You can use the [`run_in_container.sh`](./codex-cli/scripts/run_in_container.sh) script to set up the sandbox. --- diff --git a/codex-cli/src/utils/agent/handle-exec-command.ts b/codex-cli/src/utils/agent/handle-exec-command.ts index 84dbbc9c..93e8ea52 100644 --- a/codex-cli/src/utils/agent/handle-exec-command.ts +++ b/codex-cli/src/utils/agent/handle-exec-command.ts @@ -257,7 +257,7 @@ async function execCommand( }; } -const isInContainer = async (): Promise => { +const isInLinux = async (): Promise => { try { await access("/proc/1/cgroup"); return true; @@ -270,7 +270,7 @@ async function getSandbox(runInSandbox: boolean): Promise { if (runInSandbox) { if (process.platform === "darwin") { return SandboxType.MACOS_SEATBELT; - } else if (await isInContainer()) { + } else if (await isInLinux()) { return SandboxType.NONE; } throw new Error("Sandbox was mandated, but no sandbox is available!");