Container script firewall is overly restrictive

[BadPirate]

What version of Codex is running?

0.1.2504172351

Which model were you using?

any

What platform is your computer?

MacOS

What steps can reproduce the bug?

1. use run-in-container.sh script to open codex
2. Ask codex to ping google.com

Expectation:

Should be able to make benign internet requests

Actual:

All outbound traffic is blocked, this forces manual interventions for adding tools (which is fine because it's in the container), running commands like yarn install among many other little grievances.

What is the expected behavior?

Docker container should protect / prevent calls to host machine, but allow internet access.

What do you see instead?

No response

Additional information

No response

[BadPirate]

Note: I'm looking into this for myself but wanted to drop an issue as I assume this behavior others will want.

[fouad-openai]

This is actually intentional, at least for now - sorry for the confusion and lack of documentation! There's a few different risks when it comes to outbound network access, like:

• Prompt injection
• Installing packages without approval (could have vulnerabilities)
• Data exfiltration (accidental or caused by prompt injection, like posting a user's code on the internet)

We'll have guidance soon on how to do this safely, but since you've already started #383 I think it's reasonable to expose an argument like --dangerously-allow-network-outbound (added as comment on your PR) - lmk if you have questions!

[BadPirate]

Oh sorry, just noted your response here. What you say makes sense. If it is really dangerous, I might recommend opening an issue with the Mac client sandbox, Apple's sandbox-exec allows for blocking outbound network in the profile you provide when you use it, but based on my testing the current cli isn't doing so at the moment. I'll accept your changes.

[ikamensh]

I was thinking about safe browsing too - could it be server side like when using chatgpt? so not doing request from client machine but from openai servers. I assume the standard browsing on chatgpt already has features of not being able to post user content; due to sandboxing any prompt injection would be limited to failing the task at hand. I guess worst case is it proposes vulnerable, hacked code to the user and user is not paying attention?

The utility I'm looking for is reading related docs and repos that are on the internet.

[BadPirate]

For my use case at least, I found the apple sandbox and the container sandbox overly restrictive. Simple case: Asking codex to make changes, and test those changes before coming back to me (Otherwise I have to go multiple rounds as it stumbles through development)

    I ran npx next lint and everything is clean—no ESLint errors.

    However, when I try to run the Playwright suite (yarn test / npx playwright test), it can’t even
    start the Next.js dev server in this sandbox (it errors out with “EPERM: operation not permitted …
    listen 127.0.0.1:3000”). Because I can’t bind to a port here, the web server never comes up and the
    tests abort immediately.

    Could you let me know how you’d like me to proceed? For example:

        * Should I stub out or mock the web server in Playwright config so tests can run without
    launching Next.js?
        * Should I point them at an already‑running instance instead?
        * Or would you prefer to share the test‑output locally so I can diagnose the warnings you’re
    seeing?