CDX-301b · Module 1

Network Policies & Exec Restrictions

3 min read

Network access in Codex is binary at the command level: a command either gets network access (allow-network) or it does not (allow). There is no middle ground — no domain allowlists, no port restrictions, no protocol filtering. This means an allow-network command can reach any host on any port. The security implication is clear: every allow-network rule is a potential data exfiltration channel. A command like "curl" with network access can send project data to any external server.

Exec restrictions go beyond network access. The sandbox prevents process spawning outside the allowed command set, blocks access to system-level resources (raw sockets, device files, kernel interfaces), and restricts inter-process communication. In workspace-write mode, Codex cannot install system packages, modify system configs, or start persistent services. These restrictions are enforced at the OS level (Seatbelt on macOS, Bubblewrap on Linux) and cannot be bypassed from within the sandbox.

# Network policy: minimal allow-network surface
[execpolicy]
# Only these commands get network access
"npm ci" = "allow-network"          # Package install (needs registry)
"npm install" = "allow-network"     # Package install
"git push *" = "allow-network"      # Push to remote
"git pull" = "allow-network"        # Pull from remote
"git fetch *" = "allow-network"     # Fetch from remote

# Everything else: local only
"npm test" = "allow"
"npm run *" = "allow"
"npx *" = "allow"
"node *" = "allow"
"git *" = "allow"                   # Catch-all git (local ops)

# Explicitly deny network-capable tools
"curl *" = "deny"
"wget *" = "deny"
"nc *" = "deny"
"ssh *" = "deny"
"scp *" = "deny"
  1. Map network needs List every command that requires network access. For each, document why it needs network. If you cannot justify it, it should be allow-only.
  2. Block exfiltration tools Add explicit deny rules for curl, wget, nc, ssh, scp, and any other tool that can transmit data. If you need curl for a specific purpose, allowlist the exact command.
  3. Test the boundary Run Codex and ask it to fetch a URL or install a package. Verify that blocked commands fail and allowed commands succeed. Check the error message is clear.