- Updated: January 17, 2026
- 7 min read
Deep Dive into AI Agent Sandboxes: Security, Permissions, and Best Practices
AI agent sandboxing isolates coding agents by using OS‑level mechanisms such as macOS Seatbelt and Linux Landlock, while the Codex CLI offers three permission modes—Read‑Only, Auto, and Full Access—to control file, command, and network privileges.
Why AI Agent Sandboxing Matters Today
Modern AI coding assistants can execute arbitrary shell commands, compile code, and even reach out to external services. Without proper containment, a single rm -rf or a stray network request can compromise an entire development environment. Developers, AI engineers, and security professionals therefore need a reliable, low‑overhead way to grant just enough permissions for productivity while preventing catastrophic misuse.
Enter AI agent sandboxing: a set of native operating‑system controls that enforce fine‑grained policies without the heavyweight overhead of full containers. In the original deep‑dive on agent sandboxes, Pierce Freeman explains how the Codex CLI leverages these mechanisms to keep agents safe yet functional.
Overview of AI Agent Sandboxing
Sandboxing is the practice of running a process inside a restricted environment that limits its view of the file system, network, and system calls. For AI agents, sandboxing solves two core problems:
- Security: Prevents accidental or malicious actions such as data exfiltration or destructive file operations.
- Predictability: Guarantees that an agent’s behavior stays within the boundaries required for a given task, making debugging and compliance easier.
UBOS, a leading UBOS platform overview, adopts a similar philosophy: it provides a unified sandbox layer for AI‑driven workflows, allowing developers to focus on logic rather than security plumbing.
macOS Seatbelt vs. Linux Landlock: The Core Engines
macOS Seatbelt
Seatbelt is Apple’s legacy sandboxing framework that predates the modern App Sandbox. It works by launching a process through /usr/bin/sandbox-exec with a policy file that enumerates allowed file paths, network sockets, and system calls. The Codex CLI builds this policy on‑the‑fly, injecting writable roots and read‑only sub‑paths (e.g., .git directories) to protect version history.
Key characteristics:
- Default‑deny: anything not explicitly permitted is blocked.
- Simple policy syntax, but prone to misconfiguration—especially when granting access to user home directories.
- Network control is binary: either full outbound access or none.
UBOS leverages Seatbelt for its Telegram integration on UBOS, ensuring that bot‑driven commands cannot escape the intended workspace.
Linux Landlock + Seccomp
Linux offers a richer sandboxing toolbox. Landlock (available from kernel 5.13) provides capability‑based file‑system restrictions, while seccomp‑BPF filters system calls. The Codex CLI’s codex-linux-sandbox helper parses a serialized policy, applies Landlock rules for writable roots, and installs a seccomp filter that blocks network‑related syscalls unless explicitly allowed.
Advantages over Seatbelt:
- Granular control over individual syscalls (e.g., allowing
recvfromfor local IPC while denyingconnect). - Fine‑tuned write permissions: read‑anywhere, write‑only to whitelisted directories.
- Support for namespaces and cgroups, enabling resource limits.
UBOS’s Chroma DB integration runs inside a Landlock sandbox, guaranteeing that vector‑store operations cannot touch unrelated files on the host.
Codex CLI Permission Modes: Read‑Only, Auto, Full Access
The Codex command‑line interface (CLI) exposes three distinct permission profiles that map directly onto the underlying OS sandbox mechanisms.
Read‑Only Mode
In this strictest setting, the agent can only cat or grep files. Any attempt to edit, delete, or execute a command triggers an approval prompt. This mode is ideal for code‑review bots that need to answer questions without altering the repository.
Developers can quickly test a prompt against a codebase while guaranteeing that no state changes occur.
Auto (Current) Mode
Auto is the sweet spot for most development workflows. The agent can read, edit, and run commands inside the current workspace, but any attempt to access files outside the workspace or to open network sockets requires explicit user approval.
Under the hood, the CLI launches the process with either Seatbelt (macOS) or Landlock+seccomp (Linux) in “workspace‑only” mode. This mirrors the behavior of popular tools like Claude Code and Cursor, where a command whitelist evolves as the user approves safe actions.
UBOS’s AI marketing agents default to Auto, allowing them to fetch campaign data from a local CSV while preventing arbitrary internet calls.
Full Access Mode
Full Access removes all sandbox restrictions, giving the agent unrestricted terminal control. This is comparable to running the CLI without any sandbox wrapper and should only be used in trusted environments (e.g., isolated CI containers).
Because the process runs without Seatbelt or Landlock, any command—dangerous or benign—executes directly, making it unsuitable for production machines.
Command Whitelisting & Debugging Support
Beyond static permission modes, Codex implements a dynamic command whitelist. When an agent issues a new command, the system checks:
- If the command is in the built‑in “safe” list (e.g.,
swift build,git status). - If the user has previously approved the exact command during the session.
- If the command requires elevated permissions, prompting the user to approve or reject it.
This approach reduces “approval fatigue” while still protecting against unexpected actions like rm -rf /. The whitelist is session‑scoped; once approved, the command is trusted for the remainder of the session.
For developers who need deeper insight, Codex ships two debugging helpers:
codex debug seatbelt– runs an arbitrary command inside the macOS Seatbelt sandbox, echoing the effective policy.codex debug landlock– performs the same for Linux, showing the applied Landlock rules and seccomp filters.
These tools are invaluable when troubleshooting permission errors, such as the clang‑related failure described in the original article.
Benefits and Best Practices for Secure AI Coding
Implementing sandboxing yields tangible advantages for teams building AI‑driven software.
Benefit: Reduced Attack Surface
By limiting file system and network access, you prevent agents from unintentionally leaking credentials or corrupting production data.
Benefit: Faster Iteration
Auto mode lets developers iterate quickly—agents can compile, test, and refactor without manual permission toggles, while still keeping a safety net.
Best Practice: Use Container‑Level Isolation for CI
Even with OS‑native sandboxes, wrap the entire CI job in a Docker or Podman container. This adds a second layer of defense and simplifies resource limits.
Best Practice: Adopt a Whitelist‑First Policy
Start with a minimal safe list (e.g., git, npm install) and expand only after verifying each command’s impact.
UBOS provides a suite of resources to help you adopt these practices:
- Enterprise AI platform by UBOS – offers built‑in sandbox orchestration for large teams.
- Workflow automation studio – lets you design permission‑aware pipelines without writing custom scripts.
- Web app editor on UBOS – automatically runs generated code inside a sandboxed preview.
- UBOS pricing plans – includes a free tier for sandbox experimentation.
For quick prototyping, the UBOS templates for quick start include ready‑made sandbox configurations. Notable examples:
- AI SEO Analyzer – runs web‑scraping and analysis inside a Landlock sandbox.
- AI Chatbot template – demonstrates safe network calls via explicit permission grants.
- GPT‑Powered Telegram Bot – combines ChatGPT and Telegram integration with sandboxed command execution.
Conclusion
AI agent sandboxing bridges the gap between powerful, autonomous coding assistants and the security requirements of modern development pipelines. By leveraging native OS mechanisms—macOS Seatbelt and Linux Landlock—combined with Codex’s flexible permission modes and command whitelist, teams can enjoy rapid iteration without sacrificing safety.
For a deeper technical walk‑through, read the original deep‑dive on agent sandboxes. To start building sandbox‑aware AI workflows today, explore UBOS’s ecosystem:
- About UBOS – learn how the platform was engineered for secure AI.
- UBOS partner program – collaborate on sandbox‑enabled AI solutions.
- UBOS for startups – get early‑stage access to sandboxed AI tooling.
- UBOS solutions for SMBs – affordable sandboxed AI for small teams.
Adopt these practices now, and you’ll protect your code, your data, and your reputation while still harnessing the full power of AI coding agents.