fix(core) allow loopback by default in sandbox

2026-04-24 14:45:27 +00:00 · 2026-01-08 03:06:58 -08:00
parent 80d7a5d7fe
commit 8a73f26285
2 changed files with 11 additions and 0 deletions
--- a/codex-rs/core/src/seatbelt_base_policy.sbpl
+++ b/codex-rs/core/src/seatbelt_base_policy.sbpl
@@ -18,6 +18,14 @@
 ; process-info
 (allow process-info* (target same-sandbox))

+; Allow loopback-only sockets for local servers/clients.
+(allow network-bind
+  (local ip "localhost:*"))
+(allow network-inbound
+  (local ip "localhost:*"))
+(allow network-outbound
+  (remote ip "localhost:*"))
+
 (allow file-write-data
  (require-all
    (path "/dev/null")
--- a/codex-rs/core/src/seatbelt_network_policy.sbpl
+++ b/codex-rs/core/src/seatbelt_network_policy.sbpl
@@ -1,6 +1,9 @@
 ; when network access is enabled, these policies are added after those in seatbelt_base_policy.sbpl
 ; Ref https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/mac/network.sb;drc=f8f264d5e4e7509c913f4c60c2639d15905a07e4

+(allow network-bind
+  (local ip "localhost:*"))
+
 (allow network-outbound)
 (allow network-inbound)
 (allow system-socket)