Allow disabling Codex inner sandbox when OpenClaw Docker sandbox is active

[eugifa]

Summary

When a Codex-backed agent is already running inside an OpenClaw-managed Docker sandbox, OpenClaw appears to force Codex app-server turns into Codex workspace-write mode. In some Docker sandbox environments this makes Codex try to start its own Linux/bwrap sandbox inside the outer sandbox, and shell/tool execution can fail before the command runs.

The desired behavior is a supported OpenClaw configuration option to use the OpenClaw sandbox as the single isolation boundary and run Codex inside that boundary without its inner bwrap sandbox.

Observed behavior

A minimal Docker-sandboxed Codex agent smoke reached the child session, but failed before running a basic shell command or reading a known workspace file.

Returned smoke result, sanitized:

SMOKE_STATUS: FAIL
TOOLS_USED: exec, exec_command
PWD: none
WORKSPACE_FILE_READ: FAIL
ERROR: bwrap loopback Failed RTM_NEWADDR Operation not permitted
NOTES: Shell execution was blocked before either check could run.

This issue is about Codex's inner bwrap sandbox failing inside an already sandboxed OpenClaw Docker runtime.

Environment shape

• OpenClaw version: 2026.5.12
• Runtime: Codex app-server / agentRuntime.id = "codex"
• OpenClaw sandbox: Docker, enabled for the agent
• Workspace access: read/write inside the OpenClaw-managed sandbox workspace
• Effective sandbox tool policy includes normal coding-agent fs/runtime tools

No host-specific paths are required to reproduce the issue.

Why this matters

For Docker-sandboxed agents, Docker/OpenClaw is already the trust boundary. Running Codex's own bwrap sandbox inside the container creates a nested sandbox/namespace failure mode and can prevent basic coding-agent shell execution.

Giving the Docker container broader privileges/capabilities to satisfy inner bwrap would weaken the outer sandbox. The cleaner design is to let OpenClaw own sandboxing and tool policy while Codex runs unsandboxed relative to the already-isolated container.

Requested behavior

Add a supported config option for Codex-backed agents such as:

• disable Codex inner sandbox when OpenClaw Docker sandboxing is active, or
• allow explicitly setting Codex sandbox mode to danger-full-access for Docker-sandboxed agents without OpenClaw narrowing it back to workspace-write.

Important constraint: this should not disable OpenClaw's outer sandbox or tool allow/deny policy. It should only avoid the nested Codex bwrap sandbox inside the already sandboxed execution environment.

Minimal repro shape

1. Configure a Codex-backed agent with OpenClaw Docker sandboxing enabled.
2. Give the agent normal fs/runtime tool exposure.
3. Spawn a tiny child task that runs pwd or reads a known workspace file.
4. Observe that shell execution may fail with:

bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted

Expected result

The child Codex agent should be able to run basic shell/file commands inside the OpenClaw Docker sandbox, while OpenClaw remains responsible for the sandbox boundary and tool policy.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded: the requested no-bwrap or danger-full-access opt-out is now the wrong scope for the remaining problem, which is owned by the later protected Codex/OpenClaw sandbox-boundary issue and the narrower bwrap doctor PR.

Canonical path: Keep the sandbox-boundary decision on #83796 and handle Ubuntu/AppArmor bwrap diagnostics through #83791 instead of adding a separate no-bwrap config opt-out here.

So I’m closing this here and keeping the remaining discussion on #83796 and #83791.

Review details

Best possible solution:

Keep the sandbox-boundary decision on #83796 and handle Ubuntu/AppArmor bwrap diagnostics through #83791 instead of adding a separate no-bwrap config opt-out here.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main spawns the Codex stdio app-server from the Gateway process and maps active OpenClaw sandboxing to Codex workspaceWrite. I did not run the live Ubuntu/AppArmor bwrap canary in this read-only review.

Is this the best way to solve the issue?

No as originally framed: disabling Codex inner sandboxing or forcing danger-full-access is superseded by the broader boundary problem because the managed stdio app-server is gateway-hosted today.

Security review:

Security review needs attention: No patch was reviewed, but the requested no-bwrap or danger-full-access opt-out is security-sensitive because current Codex-native execution is gateway-hosted.

• [high] Preserve the expected sandbox boundary — extensions/codex/src/app-server/run-attempt.ts:482
  Implementing this opt-out while the Codex app-server still runs from the Gateway process could expose Gateway filesystem or process state instead of preserving per-agent Docker containment.
  Confidence: 0.88

What I checked:

• Canonical security issue: The later open issue [Bug]: Security: codex runtime + sandbox = agent escapes containment #83796 is labeled security/P1 and asks for the broader boundary decision: run Codex-native execution inside the per-agent sandbox, or fail closed/warn when that cannot be honored.
• Narrow diagnostic PR: The related open draft PR fix(doctor): detect Codex bwrap namespace denials #83791 handles Ubuntu/AppArmor bwrap namespace diagnostics without adding a Codex no-bwrap config option.
• Current source keeps Codex workspaceWrite under active OpenClaw sandboxing: resolveCodexAppServerSandboxPolicyForOpenClawSandbox returns a Codex workspaceWrite policy and comments that the app-server still runs on the Gateway host while mirroring OpenClaw sandbox egress. (extensions/codex/src/app-server/run-attempt.ts:467, 9eee202a694b)
• Gateway-hosted stdio app-server path: createStdioTransport resolves the Codex invocation and calls Node spawn directly, so the current stdio app-server process boundary is the Gateway process rather than an OpenClaw sandbox backend wrapper. (extensions/codex/src/app-server/transport-stdio.ts:93, 9eee202a694b)
• Current tests lock the workspaceWrite behavior: The focused Codex app-server test expects active Docker sandboxing plus appServer sandbox danger-full-access to resolve to Codex workspaceWrite with egress derived from the OpenClaw sandbox. (extensions/codex/src/app-server/run-attempt.test.ts:9261, 9eee202a694b)
• History provenance: Feature history shows Codex app-server controls, the sandbox constraint, module split, and later egress preservation were introduced or maintained through commits 31a0b7b, 172df5e, 8d72aaf, and adc3767. (extensions/codex/src/app-server/run-attempt.ts, 31a0b7bd42a5)

Likely related people:

• steipete: Peter Steinberger authored the Codex app-server controls, the sandbox constraint, the app-server module split, and the egress-preservation change in the affected path. (role: feature-history owner and recent area contributor; confidence: high; commits: 31a0b7bd42a5, 172df5ed4688, 8d72aafdbb8d; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/transport-stdio.ts, docs/gateway/sandboxing.md)
• vincentkoc: Vincent Koc has merged Codex app-server startup/auth work and authored the related doctor diagnostics PR for this bwrap namespace-denial path. (role: adjacent Codex app-server contributor and diagnostic PR author; confidence: medium; commits: f1cc8f0cfc7c; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/config.ts, src/commands/doctor-sandbox.ts)
• sallyom: Sally O'Malley is assigned on this issue and narrowed the discussion toward the Ubuntu/AppArmor bwrap failure versus the broader Codex placement problem. (role: assigned investigator; confidence: medium; files: extensions/codex/src/app-server/run-attempt.ts, docs/gateway/sandboxing.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9eee202a694b.

[sallyom]

I’m trying to pin down the exact runtime shape.
Can you share how the Codex app-server was being launched when this failed?

1. Were you using the default managed Codex app-server (no custom appServer config)?
2. Was the Codex app-server process itself running inside the OpenClaw Docker sandbox container, or was it started by the host gateway?
3. Was this through sessions_spawn / a child task, or a normal top-level agent turn?
4. Was the OpenClaw gateway itself running in Docker, or directly on the host?

I tested the stock managed Codex app-server plus OpenClaw Docker sandbox path locally. OpenClaw created Docker sandbox containers, but the managed Codex app-server executed from the host-side workspace and did not reproduce the bwrap failure. So I want to confirm whether your repro involved Codex app-server running inside the Docker sandbox, or another path that routes Codex execution differently.

[oc-jarvis]

Thanks, this helped narrow the shape.

Answers to your questions:

1. Yes, this was the default managed Codex app-server path. I do not have custom appServer config.
2. Based on process inspection during the repro, the managed Codex app-server appears to be host-started by the gateway, not launched inside the Docker sandbox container.
3. The failure was through sessions_spawn / a child task, not a normal top-level agent turn.
4. The OpenClaw gateway was running directly on the host, not in Docker.

I re-ran a narrow repro with one Codex-backed agent temporarily switched back to OpenClaw Docker sandboxing. OpenClaw reported the agent as sandboxed (mode: all, workspaceAccess: rw), and the managed Codex app-server process was still visible host-side.

The child task only attempted basic shell checks: pwd, reading a few non-secret profile marker env vars, listing /workspace, and checking whether a known scratch dir existed. Every shell check failed before producing command output with:

bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted

So I should correct my earlier wording: I do not think the repro proves "Codex app-server process running inside Docker." The more precise shape is:

host gateway + managed Codex app-server + sessions_spawn child task for an OpenClaw Docker-sandboxed Codex agent, where Codex shell execution still enters the inner workspace-write/bwrap path and fails before the command runs.

Happy to capture a specific gateway/app-server trace or sanitized logs if there is a log field/debug flag you want checked.

[sallyom]

You're on Ubuntu? I have not been able to reproduce this, but I'm on RHEL/Fedora. Looking at #83599, this looks to be Ubuntu/AppArmor not allowing unprivileged user namespaces that bwrap sets up. Still investigating this. If this is the case then setting to danger-full-access won't help.

[oc-jarvis]

Yes, you're right, this host is Ubuntu.

Current local details:

Ubuntu 24.04.4 LTS
kernel 6.8.0-110-generic
/proc/sys/kernel/unprivileged_userns_clone=1
/proc/sys/user/max_user_namespaces=31610
/proc/sys/kernel/apparmor_restrict_unprivileged_userns=1

That lines up with your AppArmor / unprivileged user namespace theory. Directly running Codex's bundled bwrap also fails here:

bwrap --unshare-user ...
=> bwrap: setting up uid map: Permission denied

bwrap --unshare-user --unshare-net ...
=> bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted

One extra data point: I checked Codex's legacy Landlock path. Direct Codex sandboxing fails with default bwrap, but succeeds when enabling legacy Landlock:

codex sandbox linux /bin/sh -lc 'pwd'
=> bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted

codex sandbox linux --enable use_legacy_landlock /bin/sh -lc 'pwd'
=> prints cwd successfully

Equivalent config appears to be:

[features]
use_legacy_landlock = true

However, when I previously tried enabling features.use_legacy_landlock=true through the OpenClaw managed app-server / Codex-backed agent path, it did not solve the agent execution path. The observed failure changed to:

landlock runtime enforcement incompatible with legacy landlock

So I agree that danger-full-access alone probably will not help if the failing path still needs bwrap on Ubuntu/AppArmor. But I wonder whether legacy Landlock could be a viable Ubuntu fallback if OpenClaw can pass it cleanly into managed app-server turns, or avoid combining it with an incompatible runtime-enforcement mode.