fix: only allow running without sandbox if explicitly marked in safe container (#699)

Signed-off-by: Thibault Sottiaux <tibo@openai.com>
2025-04-28 07:48:38 -07:00
parent 4eda4dd772
commit fa5fa8effc
4 changed files with 20 additions and 35 deletions
--- a/codex-cli/Dockerfile
+++ b/codex-cli/Dockerfile
@@ -46,6 +46,10 @@ RUN npm install -g codex.tgz \
  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/tests \
  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/docs

+# Inside the container we consider the environment already sufficiently locked
+# down, therefore instruct Codex CLI to allow running without sandboxing.
+ENV CODEX_UNSAFE_ALLOW_NO_SANDBOX=1
+
 # Copy and set up firewall script as root.
 USER root
 COPY scripts/init_firewall.sh /usr/local/bin/