CDX-201a · Module 2
Tool Permissions & Exec Policies
4 min read
Codex sandboxes restrict what commands can run and whether they get network access. The execpolicy system in config.toml is your fine-grained control layer — it defines which commands are allowed, which get network access, and which are blocked entirely. This is not about convenience; it is about security. A misconfigured execpolicy in full-auto mode can let Codex run arbitrary commands with network access.
Exec policies use glob-style matching. You can allowlist specific commands ("npm test" = "allow"), command families ("git *" = "allow-network"), or block dangerous operations ("rm -rf *" = "deny"). The sandbox mode (workspace-write, read-only, no-sandbox) sets the baseline, and execpolicy rules layer on top. Think of sandbox mode as the default-deny firewall and execpolicy as the allowlist rules.
# Exec policy — command-level permissions
[execpolicy]
# Package management — needs network
"npm install" = "allow-network"
"npm ci" = "allow-network"
"pnpm install" = "allow-network"
# Git — needs network for push/pull
"git *" = "allow-network"
# Build and test — local only
"npm test" = "allow"
"npm run build" = "allow"
"npx tsc *" = "allow"
# Dangerous — explicitly blocked
"rm -rf *" = "deny"
"curl * | sh" = "deny"Do This
- Start with workspace-write sandbox mode and add specific execpolicy allows
- Use "allow-network" only for commands that genuinely need internet access
- Block known dangerous patterns explicitly with "deny" rules
- Keep project-specific policies in the project config, not your global file
Avoid This
- Set no-sandbox to "make things easier" — you are removing all guardrails
- Allowlist everything with broad globs like "* *" = "allow-network"
- Forget to restrict curl, wget, or pip install in sensitive repos
- Assume the sandbox catches everything — it is defense in depth, not infallible