Enum SandboxPolicy 

pub enum SandboxPolicy {
    ReadOnly {
        network_access: bool,
        network_allowlist: Vec<NetworkAllowlistEntry>,
    },
    WorkspaceWrite {
        writable_roots: Vec<WritableRoot>,
        network_access: bool,
        network_allowlist: Vec<NetworkAllowlistEntry>,
        sensitive_paths: Option<Vec<SensitivePath>>,
        resource_limits: ResourceLimits,
        seccomp_profile: SeccompProfile,
        exclude_tmpdir_env_var: bool,
        exclude_slash_tmp: bool,
    },
    DangerFullAccess,
    ExternalSandbox {
        description: String,
    },
}

Sandbox policy determining what operations are permitted during execution.

This follows the Codex sandboxing model with three main variants:

• ReadOnly: Only read operations allowed (safe for viewing files)
• WorkspaceWrite: Can write within specified directories
• DangerFullAccess: No restrictions (dangerous, requires explicit approval)

The field guide’s three-question model:

1. What is shared between this code and the host? (boundary)
2. What can the code touch? (policy - this enum)
3. What survives between runs? (lifecycle)

Variants

ReadOnly

No write access to the filesystem; network access may be restricted or allowlisted.

Fields

network_access: bool

Whether network access is enabled when no allowlist is set.

network_allowlist: Vec<NetworkAllowlistEntry>

Domain-based network egress allowlist.

WorkspaceWrite

Write access limited to the specified roots; network controlled by allowlist.

Fields

writable_roots: Vec<WritableRoot>

Directories where write access is permitted.

network_access: bool

Whether network access is allowed (legacy boolean, use network_allowlist for fine-grained control).

network_allowlist: Vec<NetworkAllowlistEntry>

Domain-based network egress allowlist. When non-empty, only connections to these destinations are permitted. Following field guide: “Default-deny outbound network, then allowlist.”

sensitive_paths: Option<Vec<SensitivePath>>

Sensitive paths to block (credentials, SSH keys, cloud configs). Following field guide: prevents “policy leakage” of credentials. Defaults to DEFAULT_SENSITIVE_PATHS if None.

resource_limits: ResourceLimits

Resource limits (memory, PIDs, disk, CPU). Following field guide: prevents fork bombs, memory exhaustion.

seccomp_profile: SeccompProfile

Seccomp-BPF profile for Linux syscall filtering. Following field guide: “Landlock + seccomp is the recommended Linux pattern.”

exclude_tmpdir_env_var: bool

Exclude the TMPDIR environment variable from writable roots.

exclude_slash_tmp: bool

Exclude /tmp from writable roots.

DangerFullAccess

Full access - no sandbox restrictions applied. Use with extreme caution.

ExternalSandbox

External sandbox - the caller is responsible for sandbox setup.

Fields

description: String

Description of the external sandbox mechanism.

Implementations

impl SandboxPolicy

pub fn read_only() -> Self

Create a read-only policy.

pub fn new_read_only_policy() -> Self

Create a new read-only policy (alias for backwards compatibility).

pub fn read_only_with_network( network_allowlist: Vec<NetworkAllowlistEntry>, ) -> Self

Create a read-only policy with a network allowlist.

pub fn read_only_with_full_network() -> Self

Create a read-only policy with full network access.

pub fn workspace_write(writable_roots: Vec<PathBuf>) -> Self

Create a workspace-write policy with specified roots. Uses default sensitive path blocking and strict seccomp profile.

pub fn workspace_write_with_network( writable_roots: Vec<PathBuf>, network_allowlist: Vec<NetworkAllowlistEntry>, ) -> Self

Create a workspace-write policy with network allowlist.

pub fn workspace_write_with_sensitive_paths( writable_roots: Vec<PathBuf>, sensitive_paths: Vec<SensitivePath>, ) -> Self

Create a workspace-write policy with custom sensitive path settings.

pub fn workspace_write_no_sensitive_blocking( writable_roots: Vec<PathBuf>, ) -> Self

Create a workspace-write policy without sensitive path blocking (dangerous).

pub fn workspace_write_with_limits( writable_roots: Vec<PathBuf>, resource_limits: ResourceLimits, ) -> Self

Create a workspace-write policy with resource limits. Useful for untrusted code that needs containment.

pub fn workspace_write_full( writable_roots: Vec<PathBuf>, network_allowlist: Vec<NetworkAllowlistEntry>, sensitive_paths: Option<Vec<SensitivePath>>, resource_limits: ResourceLimits, seccomp_profile: SeccompProfile, ) -> Self

Create a fully-configured workspace-write policy.

pub fn full_access() -> Self

Create a full-access policy (dangerous).

pub fn has_full_network_access(&self) -> bool

Check if the policy allows full network access (unrestricted).

pub fn has_network_allowlist(&self) -> bool

Check if the policy has a network allowlist (domain-restricted access).

pub fn network_allowlist(&self) -> &[NetworkAllowlistEntry]

Get the network allowlist entries, if any.

pub fn is_network_allowed(&self, domain: &str, port: u16) -> bool

Check if network access to a specific domain:port is allowed.

pub fn sensitive_paths(&self) -> Vec<SensitivePath>

Get the effective sensitive paths to block. Returns default paths if not explicitly configured.

pub fn sensitive_paths_for_execution(&self, cwd: &Path) -> Vec<SensitivePath>

Get sensitive paths including write-only protected directories for writable roots.

pub fn is_sensitive_path(&self, path: &Path) -> bool

Check if a path is a sensitive location that should be blocked.

pub fn is_path_write_blocked(&self, path: &Path, cwd: &Path) -> bool

Check if write access to a path is blocked under this policy.

pub fn is_path_readable(&self, path: &Path) -> bool

Check if read access to a path is allowed under this policy.

pub fn resource_limits(&self) -> ResourceLimits

Get the resource limits for this policy.

pub fn seccomp_profile(&self) -> SeccompProfile

Get the seccomp profile for this policy (Linux only).

pub fn has_full_disk_write_access(&self) -> bool

Check if the policy allows full disk write access.

pub fn has_full_disk_read_access(&self) -> bool

Check if the policy allows full disk read access.

pub fn get_writable_roots_with_cwd(&self, cwd: &Path) -> Vec<WritableRoot>

Get the list of writable roots including the current working directory.

pub fn is_path_writable(&self, path: &Path, cwd: &Path) -> bool

Check if a path is writable under this policy.

pub fn can_set(&self, new_policy: &SandboxPolicy) -> Result<()>

Validate that another policy can be set from this one. Used to enforce policy escalation restrictions.

pub fn description(&self) -> &'static str

Get a human-readable description of the policy.

Trait Implementations

impl Clone for SandboxPolicy

fn clone(&self) -> SandboxPolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SandboxPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SandboxPolicy

fn default() -> Self

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for SandboxPolicy

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Eq for SandboxPolicy

impl PartialEq for SandboxPolicy

fn eq(&self, other: &SandboxPolicy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for SandboxPolicy

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for SandboxPolicy