Skip to content

Allow ptrace in the restricted-network Linux sandbox #16011

Open
Open
Allow ptrace in the restricted-network Linux sandbox#16011
Labels
enhancementNew feature or requestsandboxIssues related to permissions or sandboxing
@akihikodaki

Description

@akihikodaki
akihikodaki
opened on Mar 27, 2026

What variant of Codex are you using?

IDE Extension

What feature would you like to see?

I would like ptrace to work in restricted-network Linux sandbox sessions.

Without ptrace, Codex is much less useful for debugging native code. My main use case is QEMU/KVM development.

Today, the following command fails, which I would like to succeed:

codex sandbox linux --full-auto -c 'sandbox_workspace_write.network_access=false' strace true

Additional information

For comparison, this already works today when network access is enabled:

codex sandbox linux --full-auto -c 'sandbox_workspace_write.network_access=true' strace true

ptrace also does not work with managed proxy mode, even when network access is enabled:

codex exec -p <managed-proxy-profile> --full-auto 'Run `strace true`.'

However, managed proxy mode is not my use case.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsandboxIssues related to permissions or sandboxing

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions