On Ubuntu, every single normal edit requires skipping sandbox

[jancellor]

What version of Codex CLI is running?

0.120.0

What subscription do you have?

Plus

Which model were you using?

gpt-5.4

What platform is your computer?

Linux 6.17.0-20-generic x86_64 x86_64 (Ubutnu 24.04)

What terminal emulator and version are you using (if applicable)?

gnome-terminal

What issue are you seeing?

Under Ubuntu, every normal edit to a file in the current working directory says it fails and prompts to skip the sandbox which does work to allow the edit. Last good version is 0.114.0. I believe this is related to bwrap and Ubuntu's default AppArmor configuration.

One work around is to add an AppArmor profile for the codex to allow userns, as below. I believe Claude Code had/has a similar problem that required allowing userns for the bwrap binary itself. No comment on security implications of loosening AppArmor like this. My layman understand was that Ubuntu's default rules are more conservative than other distros.

In /etc/apparmor.d/local-codex:

abi <abi/4.0>,
include <tunables/global>

profile local-codex <PATH_TO_CODEX> flags=(unconfined) {
  userns,

  include if exists <local/local-codex>
}

(I use mise to install node so that path was something like /home/me/.local/share/mise/installs/node/*/lib/node_modules/@openai/codex/node_modules/@openai/codex-linux-x64/vendor/x86_64-unknown-linux-musl/codex/codex.)

What steps can reproduce the bug?

Uploaded thread: 019d80f4-80f5-7613-a2b3-a8671c7b6429

What is the expected behavior?

No response

Additional information

No response

[github-actions]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

• Linux sandbox failure (bwrap: Failed RTM_NEWADDR) causes all workspace edits to require sandbox bypass #17337
• 0.118.0 sandbox write regression on Linux #16402
• bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted #16334
• Ubuntu 25.10: command failed; retry without sandbox? #17134
• Linux sandbox fails with bwrap: loopback: Failed RTM_NEWADDR even though unshare -Urn and manual bwrap --unshare-net succeed #15982

Powered by Codex Action

[vicmik]

Same issue here on Ubuntu. The issue seems to be present from 0.118.0 and onwards. No issue in 0.117.0. Drives me insane. Had to downgrade to 0.117.0.

My config settings:
approval_policy = "on-request"
sandbox_mode = "workspace-write"

Here is the prompt I get every time any file is edited. Doesn't matter if I choose option 2. I will keep getting this prompt.

[etraut-openai]

Please see this documentation for details about how to enable the Codex bwrap-based sandbox if you have AppArmor enabled.

[NormanMises]

Did you follow the approach using bubblewrap to solve this issue? Not sure if I should update from 0.114.0 lol
0.117.0 sandbox still fails on my ubuntu20.04

[vicmik]

@etraut-openai I do have bubblewrap installed. In 0.170.0 it works fine. No problems (no warning on startup). Starting from 0.118.0, the sandboxing is ALWAYS blocking (still no warning on startup). Doing sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 does solve the problem but it removes a security hardening layer and increases kernel attack surface compared with the restricted default on modern Ubuntu. I don't understand why I am forced to remove this security feature to get codex to run properly. Please explain. I feel like it goes against modern sandboxing guidelines and more like a temporary workaround rather than a real solution.

My setup is: virtual machine where the agent user does not have access to 'sudo'. I'm on Ubuntu 24.04.4 LTS

[viyatb-oai]

@vicmik sorry for the inconvienience! can you paste the output of

codex sandbox linux -- /bin/true
command -v bwrap
readlink -f "$(command -v bwrap)"
echo $PATH

to help me debug? redact sensitive info in the $PATH

[vicmik]

@viyatb-oai

$ codex sandbox linux -- /bin/true
command -v bwrap
readlink -f "$(command -v bwrap)"
echo $PATH

/usr/bin/bwrap
/usr/bin/bwrap
/home/agent/.local/bin:/home/agent/.cargo/bin:/home/agent/.local/npm/bin:/home/agent/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[vavkamil]

Running into the same issue codex-cli 0.120.0 & Ubuntu 24.04.4 LTS & bubblewrap 0.9.0

• ⚠ Codex's Linux sandbox uses bubblewrap and needs access to create user namespaces.

Please see this documentation for details about how to enable the Codex bwrap-based sandbox if you have AppArmor enabled.

^ This works, but please update the docs to explicitly say that this workaround works only until the next reboot, and it's dangerous to do this.

[luispabon]

May I suggest that Codex performs a startup check for a) ubuntu, b) bubblewrap, c) that sys setting is correct and if anything's amiss, offer instructions on how to fix? Searching for that issue does not bring up that documentation page above, or this issue for that matter. Stumbled upon it after a number of follow up links on various issues that do.