ARTFEED — Contemporary Art Intelligence

OpenAI engineers custom sandbox for Codex on Windows

digital · 2026-05-13

OpenAI's Codex engineering team, led by David Wiesen, developed a custom sandbox for Codex on Windows after evaluating existing tools like AppContainer, Windows Sandbox, and Mandatory Integrity Control. The initial unelevated prototype used synthetic SIDs and write-restricted tokens to limit file writes and environment variables to restrict network access, but network suppression proved inadequate. The final elevated sandbox creates dedicated local users (CodexSandboxOffline and CodexSandboxOnline) and uses Windows Firewall rules to block outbound network access for offline mode. Setup requires admin privileges and includes creating synthetic SIDs, user accounts, firewall rules, and granting read ACLs to sandbox users. A new binary, codex-command-runner.exe, spawns commands under restricted tokens as the sandbox user. The design balances safety and usability for agentic developer workflows.

Key facts

  • David Wiesen joined Codex engineering team in September 2025
  • Codex for Windows initially lacked a sandbox implementation
  • Windows does not provide built-in sandboxing like macOS Seatbelt or Linux seccomp/bubblewrap
  • AppContainer was unsuitable for open-ended developer workflows
  • Windows Sandbox is unavailable on Windows Home SKUs
  • Mandatory Integrity Control labeling would alter host filesystem trust model
  • First prototype used synthetic SIDs and write-restricted tokens without elevation
  • Network suppression in first prototype relied on environment variables and was advisory
  • Final elevated sandbox creates CodexSandboxOffline and CodexSandboxOnline local users
  • Firewall rules block outbound network for CodexSandboxOffline user
  • Setup includes creating synthetic SID, sandbox users, firewall rules, and read ACLs
  • codex-command-runner.exe spawns commands as sandbox user with restricted token
  • Setup logic encapsulated in dedicated binary codex-windows-sandbox-setup.exe
  • Read ACLs granted asynchronously to avoid blocking setup
  • Design composed multiple Windows primitives to achieve safe agentic operation

Entities

Institutions

  • OpenAI
  • Codex
  • Microsoft

Sources