Building a safe, effective sandbox to enable Codex on Windows

When the Codex engineering team began its work, Windows users of OpenAI's coding agents faced a dilemma: an absence of robust sandbox implementation. This meant that Codex, a powerful coding agent enabling human-model interaction, ran with the full permissions of a real user by default. While powerful, this setup presented significant security risks as it could perform any action the user could, from running tests to modifying files or creating Git branches. Other operating systems offered built-in isolation tools, but Windows lacked this capability. To address this, the team embarked on creating a custom sandbox for Windows, aiming to match the safety and user-friendliness experienced on other platforms. This custom solution was designed to operate without requiring administrative privileges, a critical goal for user convenience.

The core of the Windows sandbox involved carefully limiting file write operations and network access. To control file writes, the team leveraged two key Windows features: Security Identifiers (SIDs) and write-restricted tokens. SIDs, typically used for defining user or group permissions, were adapted to create unique identifiers exclusively for the Codex sandbox. These SIDs, when incorporated into Access Control Lists (ACLs), allowed for precise control over which files and directories the sandbox could modify. Write-restricted tokens, a special type of process token, introduced an additional security layer by performing extra checks on write operations, ensuring that files could only be modified in approved locations. This combination provided the necessary granularity for secure file system interaction.

Limiting network access posed a different challenge, especially due to the constraint of not requiring elevated permissions. Standard tools like Windows Firewall were not an option without administrator rights. The team’s approach focused on making network-dependent tools fail gracefully within the sandbox. This involved environmental overrides to redirect traffic from common tools like Git and package installers to non-existent endpoints. While effective for many common scenarios, this method was advisory rather than a hard block. It aimed to discourage unauthorized network activity by making typical internet-facing operations within the sandbox unsuccessful, prompting the user to approve such actions outside the sandbox.