Cannot run java/jdk commands in macOS sandbox #3978
Description
What version of Codex is running?
codex-cli 0.39.0
Which model were you using?
gpt-5-codex high
What platform is your computer?
Darwin 25.0.0 arm64 arm
What steps can reproduce the bug?
To do java development I need to have the sandbox be able to run java/jdk related commands. The java command is /usr/bin/java and is using /usr/libexec/java_home. It does a kind a discovery mechanism to run the jdk located in my case in /Library/Java/JavaVirtualMachines/amazon-corretto-24.jdk/Contents/Home.
Somehow some directories are not readable in the sandbox which makes running fail:
❯ codex debug seatbelt /usr/bin/java
The operation couldn’t be completed. Unable to locate a Java Runtime.
Please visit http://www.java.com for information on installing Java.
The target directory where the jdk is installed is readable in the sandbox so by doing:
export JAVA_HOME=/Library/Java/JavaVirtualMachines/amazon-corretto-24.jdk/Contents/Home
I can run the jdk. I gave this information as an instruction to codex and it could run mvn, java, etc. This is a workaround for now.
Copilot made the suggestion that this should be added to the sbpl configuration for the sandbox:
(allow file-read* (subpath "/Library/Java/JavaVirtualMachines"))
(allow file-read* (subpath "/System/Library/Java/JavaVirtualMachines"))
(allow file-read* (subpath "/usr/libexec"))
(allow process-exec (literal "/usr/libexec/java_home"))
Clearly, /System/Library/Java/JavaVirtualMachines is not readable, and that is maybe the problem:
❯ codex debug seatbelt ls /System/Library/Java/JavaVirtualMachines
ls: /System/Library/Java/JavaVirtualMachines: No such file or directory
What is the expected behavior?
Be able to run java and jdk commands from the sandbox.
What do you see instead?
❯ codex debug seatbelt /usr/bin/java
The operation couldn’t be completed. Unable to locate a Java Runtime.
Please visit http://www.java.com for information on installing Java.
Additional information
No response