Summary
When running codex mcp-server inside a multi-agent setup where the outer agent is sandboxed (e.g., Docker container with only workspace mounted), Codex runs on the host and can read the entire filesystem as the host user. The sandbox_permissions config exists and has_full_disk_read_access() is checked in code, but the Landlock policy always grants full read access regardless — the restriction branch is a TODO.
Reproduction
# workspace-write mode: can still read anything the user can
codex sandbox linux -c sandbox_mode=workspace-write -- cat /etc/passwd
# works ✅
# Empty sandbox_permissions: no effect on reads
codex sandbox linux -c sandbox_mode=workspace-write \
-c 'sandbox_permissions=[]' -- cat /etc/passwd
# still works ✅
# Writes are correctly restricted:
codex sandbox linux -c sandbox_mode=workspace-write -- touch /var/tmp/test
# Permission denied ✅ (expected)
Why this matters
codex mcp-server is designed to be consumed by other agents. When the consuming agent runs in a sandboxed environment (Docker, etc.) that restricts filesystem access, giving it a Codex MCP tool effectively grants a read escape — the agent can read gateway configs, credentials, other agents' workspaces, and SSH keys through Codex, then exfiltrate via network.
A config like sandbox_permissions=[] (or an explicit readable_roots analogous to writable_roots) would let operators scope Codex reads to just the workspace directory.
Existing code
The infrastructure appears to be in place — has_full_disk_read_access() exists on the sandbox policy, and disk-full-read-access is a documented permission value in --help. The Landlock ruleset just needs a branch that restricts read access to cwd + system dirs when this permission is absent.
Related
Summary
When running
codex mcp-serverinside a multi-agent setup where the outer agent is sandboxed (e.g., Docker container with only workspace mounted), Codex runs on the host and can read the entire filesystem as the host user. Thesandbox_permissionsconfig exists andhas_full_disk_read_access()is checked in code, but the Landlock policy always grants full read access regardless — the restriction branch is a TODO.Reproduction
Why this matters
codex mcp-serveris designed to be consumed by other agents. When the consuming agent runs in a sandboxed environment (Docker, etc.) that restricts filesystem access, giving it a Codex MCP tool effectively grants a read escape — the agent can read gateway configs, credentials, other agents' workspaces, and SSH keys through Codex, then exfiltrate via network.A config like
sandbox_permissions=[](or an explicitreadable_rootsanalogous towritable_roots) would let operators scope Codex reads to just the workspace directory.Existing code
The infrastructure appears to be in place —
has_full_disk_read_access()exists on the sandbox policy, anddisk-full-read-accessis a documented permission value in--help. The Landlock ruleset just needs a branch that restricts read access to cwd + system dirs when this permission is absent.Related