sandboxing: plumb split sandbox policies through runtime

config: add v3 filesystem permission profiles
2026-03-06 22:53:23 +00:00 · 2026-03-06 14:41:46 -08:00 · 2026-03-06 14:41:46 -08:00
27 changed files with 2050 additions and 155 deletions
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -1534,9 +1534,19 @@ impl CodexMessageProcessor {
        };

        let requested_policy = params.sandbox_policy.map(|policy| policy.to_core());
-        let effective_policy = match requested_policy {
+        let (
+            effective_policy,
+            effective_file_system_sandbox_policy,
+            effective_network_sandbox_policy,
+        ) = match requested_policy {
            Some(policy) => match self.config.permissions.sandbox_policy.can_set(&policy) {
-                Ok(()) => policy,
+                Ok(()) => {
+                    let file_system_sandbox_policy =
+                        codex_protocol::protocol::FileSystemSandboxPolicy::from(&policy);
+                    let network_sandbox_policy =
+                        codex_protocol::protocol::NetworkSandboxPolicy::from(&policy);
+                    (policy, file_system_sandbox_policy, network_sandbox_policy)
+                }
                Err(err) => {
                    let error = JSONRPCErrorError {
                        code: INVALID_REQUEST_ERROR_CODE,
@@ -1547,7 +1557,11 @@ impl CodexMessageProcessor {
                    return;
                }
            },
-            None => self.config.permissions.sandbox_policy.get().clone(),
+            None => (
+                self.config.permissions.sandbox_policy.get().clone(),
+                self.config.permissions.file_system_sandbox_policy.clone(),
+                self.config.permissions.network_sandbox_policy,
+            ),
        };

        let codex_linux_sandbox_exe = self.arg0_paths.codex_linux_sandbox_exe.clone();
@@ -1562,6 +1576,8 @@ impl CodexMessageProcessor {
            match codex_core::exec::process_exec_tool_call(
                exec_params,
                &effective_policy,
+                &effective_file_system_sandbox_policy,
+                effective_network_sandbox_policy,
                sandbox_cwd.as_path(),
                &codex_linux_sandbox_exe,
                use_linux_sandbox_bwrap,
--- a/codex-rs/core/config.schema.json
+++ b/codex-rs/core/config.schema.json
@@ -568,6 +568,30 @@
      },
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "none",
+        "read",
+        "write"
+      ],
+      "type": "string"
+    },
+    "FilesystemPermissionToml": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        {
+          "additionalProperties": {
+            "$ref": "#/definitions/FileSystemAccessMode"
+          },
+          "type": "object"
+        }
+      ]
+    },
+    "FilesystemPermissionsToml": {
+      "type": "object"
+    },
    "ForcedLoginMethod": {
      "enum": [
        "chatgpt",
@@ -1089,20 +1113,30 @@
      },
      "type": "object"
    },
-    "PermissionsToml": {
+    "PermissionProfileNetworkToml": {
      "additionalProperties": false,
      "properties": {
-        "network": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/NetworkToml"
-            }
-          ],
-          "description": "Network proxy settings from `[permissions.network]`. User config can enable the proxy; managed requirements may still constrain values."
+        "enabled": {
+          "type": "boolean"
        }
      },
      "type": "object"
    },
+    "PermissionProfileToml": {
+      "additionalProperties": false,
+      "properties": {
+        "filesystem": {
+          "$ref": "#/definitions/FilesystemPermissionsToml"
+        },
+        "network": {
+          "$ref": "#/definitions/PermissionProfileNetworkToml"
+        }
+      },
+      "type": "object"
+    },
+    "PermissionsToml": {
+      "type": "object"
+    },
    "Personality": {
      "enum": [
        "none",
@@ -1664,6 +1698,10 @@
      "description": "Compact prompt used for history compaction.",
      "type": "string"
    },
+    "default_permissions": {
+      "description": "Default named permissions profile to apply from the `[permissions]` table.",
+      "type": "string"
+    },
    "developer_instructions": {
      "default": null,
      "description": "Developer instructions inserted as a `developer` role message.",
@@ -2032,6 +2070,15 @@
      ],
      "description": "Optional verbosity control for GPT-5 models (Responses API `text.verbosity`)."
    },
+    "network": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/NetworkToml"
+        }
+      ],
+      "default": null,
+      "description": "Top-level network proxy settings."
+    },
    "notice": {
      "allOf": [
        {
@@ -2067,7 +2114,7 @@
        }
      ],
      "default": null,
-      "description": "Nested permissions settings."
+      "description": "Named permissions profiles."
    },
    "personality": {
      "allOf": [
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -223,10 +223,12 @@ use crate::protocol::ErrorEvent;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecApprovalRequestEvent;
+use crate::protocol::FileSystemSandboxPolicy;
 use crate::protocol::McpServerRefreshConfig;
 use crate::protocol::ModelRerouteEvent;
 use crate::protocol::ModelRerouteReason;
 use crate::protocol::NetworkApprovalContext;
+use crate::protocol::NetworkSandboxPolicy;
 use crate::protocol::Op;
 use crate::protocol::PlanDeltaEvent;
 use crate::protocol::RateLimitSnapshot;
@@ -488,6 +490,8 @@ impl Codex {
            compact_prompt: config.compact_prompt.clone(),
            approval_policy: config.permissions.approval_policy.clone(),
            sandbox_policy: config.permissions.sandbox_policy.clone(),
+            file_system_sandbox_policy: config.permissions.file_system_sandbox_policy.clone(),
+            network_sandbox_policy: config.permissions.network_sandbox_policy,
            windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
            cwd: config.cwd.clone(),
            codex_home: config.codex_home.clone(),
@@ -683,6 +687,8 @@ pub(crate) struct TurnContext {
    pub(crate) personality: Option<Personality>,
    pub(crate) approval_policy: Constrained<AskForApproval>,
    pub(crate) sandbox_policy: Constrained<SandboxPolicy>,
+    pub(crate) file_system_sandbox_policy: FileSystemSandboxPolicy,
+    pub(crate) network_sandbox_policy: NetworkSandboxPolicy,
    pub(crate) network: Option<NetworkProxy>,
    pub(crate) windows_sandbox_level: WindowsSandboxLevel,
    pub(crate) shell_environment_policy: ShellEnvironmentPolicy,
@@ -773,6 +779,8 @@ impl TurnContext {
            personality: self.personality,
            approval_policy: self.approval_policy.clone(),
            sandbox_policy: self.sandbox_policy.clone(),
+            file_system_sandbox_policy: self.file_system_sandbox_policy.clone(),
+            network_sandbox_policy: self.network_sandbox_policy,
            network: self.network.clone(),
            windows_sandbox_level: self.windows_sandbox_level,
            shell_environment_policy: self.shell_environment_policy.clone(),
@@ -878,6 +886,8 @@ pub(crate) struct SessionConfiguration {
    approval_policy: Constrained<AskForApproval>,
    /// How to sandbox commands executed in the system
    sandbox_policy: Constrained<SandboxPolicy>,
+    file_system_sandbox_policy: FileSystemSandboxPolicy,
+    network_sandbox_policy: NetworkSandboxPolicy,
    windows_sandbox_level: WindowsSandboxLevel,

    /// Working directory that should be treated as the *root* of the
@@ -944,6 +954,10 @@ impl SessionConfiguration {
        }
        if let Some(sandbox_policy) = updates.sandbox_policy.clone() {
            next_configuration.sandbox_policy.set(sandbox_policy)?;
+            next_configuration.file_system_sandbox_policy =
+                FileSystemSandboxPolicy::from(next_configuration.sandbox_policy.get());
+            next_configuration.network_sandbox_policy =
+                NetworkSandboxPolicy::from(next_configuration.sandbox_policy.get());
        }
        if let Some(windows_sandbox_level) = updates.windows_sandbox_level {
            next_configuration.windows_sandbox_level = windows_sandbox_level;
@@ -1156,6 +1170,8 @@ impl Session {
            personality: session_configuration.personality,
            approval_policy: session_configuration.approval_policy.clone(),
            sandbox_policy: session_configuration.sandbox_policy.clone(),
+            file_system_sandbox_policy: session_configuration.file_system_sandbox_policy.clone(),
+            network_sandbox_policy: session_configuration.network_sandbox_policy,
            network,
            windows_sandbox_level: session_configuration.windows_sandbox_level,
            shell_environment_policy: per_turn_config.permissions.shell_environment_policy.clone(),
@@ -4983,6 +4999,8 @@ async fn spawn_review_thread(
        personality: parent_turn_context.personality,
        approval_policy: parent_turn_context.approval_policy.clone(),
        sandbox_policy: parent_turn_context.sandbox_policy.clone(),
+        file_system_sandbox_policy: parent_turn_context.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: parent_turn_context.network_sandbox_policy,
        network: parent_turn_context.network.clone(),
        windows_sandbox_level: parent_turn_context.windows_sandbox_level,
        shell_environment_policy: parent_turn_context.shell_environment_policy.clone(),
--- a/codex-rs/core/src/codex_tests.rs
+++ b/codex-rs/core/src/codex_tests.rs
@@ -1416,6 +1416,8 @@ async fn set_rate_limits_retains_previous_credits() {
        compact_prompt: config.compact_prompt.clone(),
        approval_policy: config.permissions.approval_policy.clone(),
        sandbox_policy: config.permissions.sandbox_policy.clone(),
+        file_system_sandbox_policy: config.permissions.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: config.permissions.network_sandbox_policy,
        windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
        cwd: config.cwd.clone(),
        codex_home: config.codex_home.clone(),
@@ -1510,6 +1512,8 @@ async fn set_rate_limits_updates_plan_type_when_present() {
        compact_prompt: config.compact_prompt.clone(),
        approval_policy: config.permissions.approval_policy.clone(),
        sandbox_policy: config.permissions.sandbox_policy.clone(),
+        file_system_sandbox_policy: config.permissions.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: config.permissions.network_sandbox_policy,
        windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
        cwd: config.cwd.clone(),
        codex_home: config.codex_home.clone(),
@@ -1862,6 +1866,8 @@ pub(crate) async fn make_session_configuration_for_tests() -> SessionConfigurati
        compact_prompt: config.compact_prompt.clone(),
        approval_policy: config.permissions.approval_policy.clone(),
        sandbox_policy: config.permissions.sandbox_policy.clone(),
+        file_system_sandbox_policy: config.permissions.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: config.permissions.network_sandbox_policy,
        windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
        cwd: config.cwd.clone(),
        codex_home: config.codex_home.clone(),
@@ -1919,6 +1925,8 @@ async fn session_new_fails_when_zsh_fork_enabled_without_zsh_path() {
        compact_prompt: config.compact_prompt.clone(),
        approval_policy: config.permissions.approval_policy.clone(),
        sandbox_policy: config.permissions.sandbox_policy.clone(),
+        file_system_sandbox_policy: config.permissions.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: config.permissions.network_sandbox_policy,
        windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
        cwd: config.cwd.clone(),
        codex_home: config.codex_home.clone(),
@@ -2009,6 +2017,8 @@ pub(crate) async fn make_session_and_context() -> (Session, TurnContext) {
        compact_prompt: config.compact_prompt.clone(),
        approval_policy: config.permissions.approval_policy.clone(),
        sandbox_policy: config.permissions.sandbox_policy.clone(),
+        file_system_sandbox_policy: config.permissions.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: config.permissions.network_sandbox_policy,
        windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
        cwd: config.cwd.clone(),
        codex_home: config.codex_home.clone(),
@@ -2414,6 +2424,8 @@ pub(crate) async fn make_session_and_context_with_dynamic_tools_and_rx(
        compact_prompt: config.compact_prompt.clone(),
        approval_policy: config.permissions.approval_policy.clone(),
        sandbox_policy: config.permissions.sandbox_policy.clone(),
+        file_system_sandbox_policy: config.permissions.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: config.permissions.network_sandbox_policy,
        windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
        cwd: config.cwd.clone(),
        codex_home: config.codex_home.clone(),
@@ -3841,11 +3853,15 @@ async fn rejects_escalated_permissions_when_policy_not_on_request() {

    // Now retry the same command WITHOUT escalated permissions; should succeed.
    // Force DangerFullAccess to avoid platform sandbox dependencies in tests.
-    Arc::get_mut(&mut turn_context)
-        .expect("unique turn context Arc")
+    let turn_context_mut = Arc::get_mut(&mut turn_context).expect("unique turn context Arc");
+    turn_context_mut
        .sandbox_policy
        .set(SandboxPolicy::DangerFullAccess)
        .expect("test setup should allow updating sandbox policy");
+    turn_context_mut.file_system_sandbox_policy =
+        FileSystemSandboxPolicy::from(turn_context_mut.sandbox_policy.get());
+    turn_context_mut.network_sandbox_policy =
+        NetworkSandboxPolicy::from(turn_context_mut.sandbox_policy.get());

    let resp2 = handler
        .handle(ToolInvocation {
--- a/codex-rs/core/src/config/config_tests.rs
+++ b/codex-rs/core/src/config/config_tests.rs
@@ -13,6 +13,10 @@ use crate::config_loader::RequirementSource;
 use crate::features::Feature;
 use assert_matches::assert_matches;
 use codex_config::CONFIG_TOML_FILE;
+use codex_protocol::permissions::FileSystemAccessMode;
+use codex_protocol::permissions::FileSystemPath;
+use codex_protocol::permissions::FileSystemSandboxEntry;
+use codex_protocol::permissions::FileSystemSpecialPath;
 use serde::Deserialize;
 use tempfile::tempdir;

@@ -197,9 +201,9 @@ fn runtime_config_defaults_model_availability_nux() {
 }

 #[test]
-fn config_toml_deserializes_permissions_network() {
+fn config_toml_deserializes_network() {
    let toml = r#"
-[permissions.network]
+[network]
 enabled = true
 proxy_url = "http://127.0.0.1:43128"
 enable_socks5 = false
@@ -207,12 +211,10 @@ allow_upstream_proxy = false
 allowed_domains = ["openai.com"]
 "#;
    let cfg: ConfigToml =
-        toml::from_str(toml).expect("TOML deserialization should succeed for permissions.network");
+        toml::from_str(toml).expect("TOML deserialization should succeed for [network]");

    assert_eq!(
-        cfg.permissions
-            .and_then(|permissions| permissions.network)
-            .expect("permissions.network should deserialize"),
+        cfg.network.expect("[network] should deserialize"),
        NetworkToml {
            enabled: Some(true),
            proxy_url: Some("http://127.0.0.1:43128".to_string()),
@@ -232,16 +234,14 @@ allowed_domains = ["openai.com"]
 }

 #[test]
-fn permissions_network_enabled_populates_runtime_network_proxy_spec() -> std::io::Result<()> {
+fn network_enabled_populates_runtime_network_proxy_spec() -> std::io::Result<()> {
    let codex_home = TempDir::new()?;
    let cfg = ConfigToml {
-        permissions: Some(PermissionsToml {
-            network: Some(NetworkToml {
-                enabled: Some(true),
-                proxy_url: Some("http://127.0.0.1:43128".to_string()),
-                enable_socks5: Some(false),
-                ..Default::default()
-            }),
+        network: Some(NetworkToml {
+            enabled: Some(true),
+            proxy_url: Some("http://127.0.0.1:43128".to_string()),
+            enable_socks5: Some(false),
+            ..Default::default()
        }),
        ..Default::default()
    };
@@ -255,7 +255,7 @@ fn permissions_network_enabled_populates_runtime_network_proxy_spec() -> std::io
        .permissions
        .network
        .as_ref()
-        .expect("enabled permissions.network should produce a NetworkProxySpec");
+        .expect("enabled [network] should produce a NetworkProxySpec");

    assert_eq!(network.proxy_host_and_port(), "127.0.0.1:43128");
    assert!(!network.socks_enabled());
@@ -263,14 +263,12 @@ fn permissions_network_enabled_populates_runtime_network_proxy_spec() -> std::io
 }

 #[test]
-fn permissions_network_disabled_by_default_does_not_start_proxy() -> std::io::Result<()> {
+fn network_disabled_by_default_does_not_start_proxy() -> std::io::Result<()> {
    let codex_home = TempDir::new()?;
    let cfg = ConfigToml {
-        permissions: Some(PermissionsToml {
-            network: Some(NetworkToml {
-                allowed_domains: Some(vec!["openai.com".to_string()]),
-                ..Default::default()
-            }),
+        network: Some(NetworkToml {
+            allowed_domains: Some(vec!["openai.com".to_string()]),
+            ..Default::default()
        }),
        ..Default::default()
    };
@@ -284,6 +282,365 @@ fn permissions_network_disabled_by_default_does_not_start_proxy() -> std::io::Re
    Ok(())
 }

+#[test]
+fn config_toml_deserializes_permission_profiles() {
+    let toml = r#"
+default_permissions = "workspace"
+
+[permissions.workspace.filesystem]
+":minimal" = "read"
+
+[permissions.workspace.filesystem.":project_roots"]
+"." = "write"
+"docs" = "read"
+"#;
+    let cfg: ConfigToml =
+        toml::from_str(toml).expect("TOML deserialization should succeed for permissions profiles");
+
+    assert_eq!(cfg.default_permissions.as_deref(), Some("workspace"));
+    assert_eq!(
+        cfg.permissions.expect("[permissions] should deserialize"),
+        PermissionsToml {
+            entries: BTreeMap::from([(
+                "workspace".to_string(),
+                PermissionProfileToml {
+                    filesystem: Some(FilesystemPermissionsToml {
+                        entries: BTreeMap::from([
+                            (
+                                ":minimal".to_string(),
+                                FilesystemPermissionToml::Access(FileSystemAccessMode::Read),
+                            ),
+                            (
+                                ":project_roots".to_string(),
+                                FilesystemPermissionToml::Scoped(BTreeMap::from([
+                                    (".".to_string(), FileSystemAccessMode::Write),
+                                    ("docs".to_string(), FileSystemAccessMode::Read),
+                                ])),
+                            ),
+                        ]),
+                    }),
+                    network: None,
+                },
+            )]),
+        }
+    );
+}
+
+#[test]
+fn default_permissions_profile_populates_runtime_sandbox_policy() -> std::io::Result<()> {
+    let codex_home = TempDir::new()?;
+    let cwd = TempDir::new()?;
+    std::fs::create_dir_all(cwd.path().join("docs"))?;
+    std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
+
+    let cfg = ConfigToml {
+        default_permissions: Some("workspace".to_string()),
+        permissions: Some(PermissionsToml {
+            entries: BTreeMap::from([(
+                "workspace".to_string(),
+                PermissionProfileToml {
+                    filesystem: Some(FilesystemPermissionsToml {
+                        entries: BTreeMap::from([
+                            (
+                                ":minimal".to_string(),
+                                FilesystemPermissionToml::Access(FileSystemAccessMode::Read),
+                            ),
+                            (
+                                ":project_roots".to_string(),
+                                FilesystemPermissionToml::Scoped(BTreeMap::from([
+                                    (".".to_string(), FileSystemAccessMode::Write),
+                                    ("docs".to_string(), FileSystemAccessMode::Read),
+                                ])),
+                            ),
+                        ]),
+                    }),
+                    network: None,
+                },
+            )]),
+        }),
+        ..Default::default()
+    };
+
+    let config = Config::load_from_base_config_with_overrides(
+        cfg,
+        ConfigOverrides {
+            cwd: Some(cwd.path().to_path_buf()),
+            ..Default::default()
+        },
+        codex_home.path().to_path_buf(),
+    )?;
+
+    let memories_root = AbsolutePathBuf::try_from(codex_home.path().join("memories")).unwrap();
+    assert_eq!(
+        config.permissions.file_system_sandbox_policy,
+        FileSystemSandboxPolicy::restricted(vec![
+            FileSystemSandboxEntry {
+                path: FileSystemPath::Special {
+                    value: FileSystemSpecialPath::Minimal,
+                },
+                access: FileSystemAccessMode::Read,
+            },
+            FileSystemSandboxEntry {
+                path: FileSystemPath::Special {
+                    value: FileSystemSpecialPath::project_roots(None),
+                },
+                access: FileSystemAccessMode::Write,
+            },
+            FileSystemSandboxEntry {
+                path: FileSystemPath::Special {
+                    value: FileSystemSpecialPath::project_roots(Some("docs".into())),
+                },
+                access: FileSystemAccessMode::Read,
+            },
+            FileSystemSandboxEntry {
+                path: FileSystemPath::Path {
+                    path: memories_root.clone(),
+                },
+                access: FileSystemAccessMode::Write,
+            },
+        ]),
+    );
+    assert_eq!(
+        config.permissions.sandbox_policy.get(),
+        &SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![memories_root],
+            read_only_access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: true,
+                readable_roots: vec![
+                    AbsolutePathBuf::try_from(cwd.path().join("docs")).expect("absolute docs path"),
+                ],
+            },
+            network_access: false,
+            exclude_tmpdir_env_var: true,
+            exclude_slash_tmp: true,
+        }
+    );
+    assert_eq!(
+        config.permissions.network_sandbox_policy,
+        NetworkSandboxPolicy::Restricted
+    );
+    Ok(())
+}
+
+#[test]
+fn permissions_profiles_require_default_permissions() -> std::io::Result<()> {
+    let codex_home = TempDir::new()?;
+    let cwd = TempDir::new()?;
+    std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
+
+    let err = Config::load_from_base_config_with_overrides(
+        ConfigToml {
+            permissions: Some(PermissionsToml {
+                entries: BTreeMap::from([(
+                    "workspace".to_string(),
+                    PermissionProfileToml {
+                        filesystem: Some(FilesystemPermissionsToml {
+                            entries: BTreeMap::from([(
+                                ":minimal".to_string(),
+                                FilesystemPermissionToml::Access(FileSystemAccessMode::Read),
+                            )]),
+                        }),
+                        network: None,
+                    },
+                )]),
+            }),
+            ..Default::default()
+        },
+        ConfigOverrides {
+            cwd: Some(cwd.path().to_path_buf()),
+            ..Default::default()
+        },
+        codex_home.path().to_path_buf(),
+    )
+    .expect_err("missing default_permissions should be rejected");
+
+    assert_eq!(err.kind(), std::io::ErrorKind::InvalidInput);
+    assert_eq!(
+        err.to_string(),
+        "config defines `[permissions]` profiles but does not set `default_permissions`"
+    );
+    Ok(())
+}
+
+#[test]
+fn permissions_profiles_reject_writes_outside_workspace_root() -> std::io::Result<()> {
+    let codex_home = TempDir::new()?;
+    let cwd = TempDir::new()?;
+    std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
+    let external_write_path = if cfg!(windows) { r"C:\temp" } else { "/tmp" };
+
+    let err = Config::load_from_base_config_with_overrides(
+        ConfigToml {
+            default_permissions: Some("workspace".to_string()),
+            permissions: Some(PermissionsToml {
+                entries: BTreeMap::from([(
+                    "workspace".to_string(),
+                    PermissionProfileToml {
+                        filesystem: Some(FilesystemPermissionsToml {
+                            entries: BTreeMap::from([(
+                                external_write_path.to_string(),
+                                FilesystemPermissionToml::Access(FileSystemAccessMode::Write),
+                            )]),
+                        }),
+                        network: None,
+                    },
+                )]),
+            }),
+            ..Default::default()
+        },
+        ConfigOverrides {
+            cwd: Some(cwd.path().to_path_buf()),
+            ..Default::default()
+        },
+        codex_home.path().to_path_buf(),
+    )
+    .expect_err("writes outside the workspace root should be rejected");
+
+    assert_eq!(err.kind(), std::io::ErrorKind::InvalidInput);
+    assert!(
+        err.to_string()
+            .contains("filesystem writes outside the workspace root"),
+        "{err}"
+    );
+    Ok(())
+}
+
+#[test]
+fn permissions_profiles_reject_nested_entries_for_non_project_roots() -> std::io::Result<()> {
+    let codex_home = TempDir::new()?;
+    let cwd = TempDir::new()?;
+    std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
+
+    let err = Config::load_from_base_config_with_overrides(
+        ConfigToml {
+            default_permissions: Some("workspace".to_string()),
+            permissions: Some(PermissionsToml {
+                entries: BTreeMap::from([(
+                    "workspace".to_string(),
+                    PermissionProfileToml {
+                        filesystem: Some(FilesystemPermissionsToml {
+                            entries: BTreeMap::from([(
+                                ":minimal".to_string(),
+                                FilesystemPermissionToml::Scoped(BTreeMap::from([(
+                                    "docs".to_string(),
+                                    FileSystemAccessMode::Read,
+                                )])),
+                            )]),
+                        }),
+                        network: None,
+                    },
+                )]),
+            }),
+            ..Default::default()
+        },
+        ConfigOverrides {
+            cwd: Some(cwd.path().to_path_buf()),
+            ..Default::default()
+        },
+        codex_home.path().to_path_buf(),
+    )
+    .expect_err("nested entries outside :project_roots should be rejected");
+
+    assert_eq!(err.kind(), std::io::ErrorKind::InvalidInput);
+    assert_eq!(
+        err.to_string(),
+        "filesystem path `:minimal` does not support nested entries"
+    );
+    Ok(())
+}
+
+#[test]
+fn permissions_profiles_reject_project_root_parent_traversal() -> std::io::Result<()> {
+    let codex_home = TempDir::new()?;
+    let cwd = TempDir::new()?;
+    std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
+
+    let err = Config::load_from_base_config_with_overrides(
+        ConfigToml {
+            default_permissions: Some("workspace".to_string()),
+            permissions: Some(PermissionsToml {
+                entries: BTreeMap::from([(
+                    "workspace".to_string(),
+                    PermissionProfileToml {
+                        filesystem: Some(FilesystemPermissionsToml {
+                            entries: BTreeMap::from([(
+                                ":project_roots".to_string(),
+                                FilesystemPermissionToml::Scoped(BTreeMap::from([(
+                                    "../sibling".to_string(),
+                                    FileSystemAccessMode::Read,
+                                )])),
+                            )]),
+                        }),
+                        network: None,
+                    },
+                )]),
+            }),
+            ..Default::default()
+        },
+        ConfigOverrides {
+            cwd: Some(cwd.path().to_path_buf()),
+            ..Default::default()
+        },
+        codex_home.path().to_path_buf(),
+    )
+    .expect_err("parent traversal should be rejected for project root subpaths");
+
+    assert_eq!(err.kind(), std::io::ErrorKind::InvalidInput);
+    assert_eq!(
+        err.to_string(),
+        "filesystem subpath `../sibling` must be a descendant path without `.` or `..` components"
+    );
+    Ok(())
+}
+
+#[test]
+fn permissions_profiles_allow_network_enablement() -> std::io::Result<()> {
+    let codex_home = TempDir::new()?;
+    let cwd = TempDir::new()?;
+    std::fs::write(cwd.path().join(".git"), "gitdir: nowhere")?;
+
+    let config = Config::load_from_base_config_with_overrides(
+        ConfigToml {
+            default_permissions: Some("workspace".to_string()),
+            permissions: Some(PermissionsToml {
+                entries: BTreeMap::from([(
+                    "workspace".to_string(),
+                    PermissionProfileToml {
+                        filesystem: Some(FilesystemPermissionsToml {
+                            entries: BTreeMap::from([(
+                                ":minimal".to_string(),
+                                FilesystemPermissionToml::Access(FileSystemAccessMode::Read),
+                            )]),
+                        }),
+                        network: Some(PermissionProfileNetworkToml {
+                            enabled: Some(true),
+                        }),
+                    },
+                )]),
+            }),
+            ..Default::default()
+        },
+        ConfigOverrides {
+            cwd: Some(cwd.path().to_path_buf()),
+            ..Default::default()
+        },
+        codex_home.path().to_path_buf(),
+    )?;
+
+    assert!(
+        config.permissions.network_sandbox_policy.is_enabled(),
+        "expected network sandbox policy to be enabled",
+    );
+    assert!(
+        config
+            .permissions
+            .sandbox_policy
+            .get()
+            .has_full_network_access()
+    );
+    Ok(())
+}
+
 #[test]
 fn tui_theme_deserializes_from_toml() {
    let cfg = r#"
@@ -2653,6 +3010,10 @@ fn test_precedence_fixture_with_o3_profile() -> std::io::Result<()> {
            permissions: Permissions {
                approval_policy: Constrained::allow_any(AskForApproval::Never),
                sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+                file_system_sandbox_policy: FileSystemSandboxPolicy::from(
+                    &SandboxPolicy::new_read_only_policy(),
+                ),
+                network_sandbox_policy: NetworkSandboxPolicy::Restricted,
                network: None,
                allow_login_shell: true,
                shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -2782,6 +3143,10 @@ fn test_precedence_fixture_with_gpt3_profile() -> std::io::Result<()> {
        permissions: Permissions {
            approval_policy: Constrained::allow_any(AskForApproval::UnlessTrusted),
            sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+            file_system_sandbox_policy: FileSystemSandboxPolicy::from(
+                &SandboxPolicy::new_read_only_policy(),
+            ),
+            network_sandbox_policy: NetworkSandboxPolicy::Restricted,
            network: None,
            allow_login_shell: true,
            shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -2909,6 +3274,10 @@ fn test_precedence_fixture_with_zdr_profile() -> std::io::Result<()> {
        permissions: Permissions {
            approval_policy: Constrained::allow_any(AskForApproval::OnFailure),
            sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+            file_system_sandbox_policy: FileSystemSandboxPolicy::from(
+                &SandboxPolicy::new_read_only_policy(),
+            ),
+            network_sandbox_policy: NetworkSandboxPolicy::Restricted,
            network: None,
            allow_login_shell: true,
            shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -3022,6 +3391,10 @@ fn test_precedence_fixture_with_gpt5_profile() -> std::io::Result<()> {
        permissions: Permissions {
            approval_policy: Constrained::allow_any(AskForApproval::OnFailure),
            sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+            file_system_sandbox_policy: FileSystemSandboxPolicy::from(
+                &SandboxPolicy::new_read_only_policy(),
+            ),
+            network_sandbox_policy: NetworkSandboxPolicy::Restricted,
            network: None,
            allow_login_shell: true,
            shell_environment_policy: ShellEnvironmentPolicy::default(),
--- a/codex-rs/core/src/config/mod.rs
+++ b/codex-rs/core/src/config/mod.rs
@@ -27,6 +27,7 @@ use crate::config::types::WindowsSandboxModeToml;
 use crate::config::types::WindowsToml;
 use crate::config_loader::CloudRequirementsLoader;
 use crate::config_loader::ConfigLayerStack;
+use crate::config_loader::ConfigLayerStackOrdering;
 use crate::config_loader::ConfigRequirements;
 use crate::config_loader::ConstrainedWithSource;
 use crate::config_loader::LoaderOverrides;
@@ -72,6 +73,8 @@ use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::models::MacOsSeatbeltProfileExtensions;
 use codex_protocol::openai_models::ModelsResponse;
 use codex_protocol::openai_models::ReasoningEffort;
+use codex_protocol::permissions::FileSystemSandboxPolicy;
+use codex_protocol::permissions::NetworkSandboxPolicy;
 use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_absolute_path::AbsolutePathBufGuard;
@@ -86,7 +89,8 @@ use std::io::ErrorKind;
 use std::path::Path;
 use std::path::PathBuf;

-use crate::config::permissions::network_proxy_config_from_permissions;
+use crate::config::permissions::compile_permission_profile;
+use crate::config::permissions::network_proxy_config_from_network;
 use crate::config::profile::ConfigProfile;
 use toml::Value as TomlValue;
 use toml_edit::DocumentMut;
@@ -107,7 +111,11 @@ pub use codex_network_proxy::NetworkProxyAuditMetadata;
 pub use managed_features::ManagedFeatures;
 pub use network_proxy_spec::NetworkProxySpec;
 pub use network_proxy_spec::StartedNetworkProxy;
+pub use permissions::FilesystemPermissionToml;
+pub use permissions::FilesystemPermissionsToml;
 pub use permissions::NetworkToml;
+pub use permissions::PermissionProfileNetworkToml;
+pub use permissions::PermissionProfileToml;
 pub use permissions::PermissionsToml;
 pub use service::ConfigService;
 pub use service::ConfigServiceError;
@@ -137,11 +145,9 @@ fn resolve_sqlite_home_env(resolved_cwd: &Path) -> Option<PathBuf> {
        Some(resolved_cwd.join(path))
    }
 }
-
 #[cfg(test)]
 pub(crate) fn test_config() -> Config {
-    use tempfile::tempdir;
-    let codex_home = tempdir().expect("create temp dir");
+    let codex_home = tempfile::tempdir().expect("create temp dir");
    Config::load_from_base_config_with_overrides(
        ConfigToml::default(),
        ConfigOverrides::default(),
@@ -157,6 +163,12 @@ pub struct Permissions {
    pub approval_policy: Constrained<AskForApproval>,
    /// Effective sandbox policy used for shell/unified exec.
    pub sandbox_policy: Constrained<SandboxPolicy>,
+    /// Effective filesystem sandbox policy, including entries that cannot yet
+    /// be fully represented by the legacy [`SandboxPolicy`] projection.
+    pub file_system_sandbox_policy: FileSystemSandboxPolicy,
+    /// Effective network sandbox policy split out from the legacy
+    /// [`SandboxPolicy`] projection.
+    pub network_sandbox_policy: NetworkSandboxPolicy,
    /// Effective network configuration applied to all spawned processes.
    pub network: Option<NetworkProxySpec>,
    /// Whether the model may request a login shell for shell-based tools.
@@ -1045,10 +1057,18 @@ pub struct ConfigToml {
    /// Sandbox configuration to apply if `sandbox` is `WorkspaceWrite`.
    pub sandbox_workspace_write: Option<SandboxWorkspaceWrite>,

-    /// Nested permissions settings.
+    /// Default named permissions profile to apply from the `[permissions]`
+    /// table.
+    pub default_permissions: Option<String>,
+
+    /// Named permissions profiles.
    #[serde(default)]
    pub permissions: Option<PermissionsToml>,

+    /// Top-level network proxy settings.
+    #[serde(default)]
+    pub network: Option<NetworkToml>,
+
    /// Optional external command to spawn for end-user notifications.
    #[serde(default)]
    pub notify: Option<Vec<String>>,
@@ -1563,6 +1583,78 @@ impl ConfigToml {
    }
 }

+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum PermissionConfigSyntax {
+    Legacy,
+    Profiles,
+}
+
+#[derive(Debug, Deserialize, Default)]
+struct PermissionSelectionToml {
+    default_permissions: Option<String>,
+    sandbox_mode: Option<SandboxMode>,
+}
+
+fn resolve_permission_config_syntax(
+    config_layer_stack: &ConfigLayerStack,
+    cfg: &ConfigToml,
+    sandbox_mode_override: Option<SandboxMode>,
+    profile_sandbox_mode: Option<SandboxMode>,
+) -> Option<PermissionConfigSyntax> {
+    if sandbox_mode_override.is_some() || profile_sandbox_mode.is_some() {
+        return Some(PermissionConfigSyntax::Legacy);
+    }
+
+    let mut selection = None;
+    for layer in
+        config_layer_stack.get_layers(ConfigLayerStackOrdering::LowestPrecedenceFirst, false)
+    {
+        let Ok(layer_selection) = layer.config.clone().try_into::<PermissionSelectionToml>() else {
+            continue;
+        };
+
+        if layer_selection.sandbox_mode.is_some() {
+            selection = Some(PermissionConfigSyntax::Legacy);
+        }
+        if layer_selection.default_permissions.is_some() {
+            selection = Some(PermissionConfigSyntax::Profiles);
+        }
+    }
+
+    selection.or_else(|| {
+        if cfg.default_permissions.is_some() {
+            Some(PermissionConfigSyntax::Profiles)
+        } else if cfg.sandbox_mode.is_some() {
+            Some(PermissionConfigSyntax::Legacy)
+        } else {
+            None
+        }
+    })
+}
+
+fn add_additional_file_system_writes(
+    file_system_sandbox_policy: &mut FileSystemSandboxPolicy,
+    additional_writable_roots: &[AbsolutePathBuf],
+) {
+    for path in additional_writable_roots {
+        let exists = file_system_sandbox_policy.entries.iter().any(|entry| {
+            matches!(
+                &entry.path,
+                codex_protocol::permissions::FileSystemPath::Path { path: existing }
+                    if existing == path && entry.access == codex_protocol::permissions::FileSystemAccessMode::Write
+            )
+        });
+        if !exists {
+            file_system_sandbox_policy.entries.push(
+                codex_protocol::permissions::FileSystemSandboxEntry {
+                    path: codex_protocol::permissions::FileSystemPath::Path { path: path.clone() },
+                    access: codex_protocol::permissions::FileSystemAccessMode::Write,
+                },
+            );
+        }
+    }
+}
+
 /// Optional overrides for user configuration (e.g., from CLI flags).
 #[derive(Default, Debug, Clone)]
 pub struct ConfigOverrides {
@@ -1751,7 +1843,7 @@ impl Config {
            None => ConfigProfile::default(),
        };
        let configured_network_proxy_config =
-            network_proxy_config_from_permissions(cfg.permissions.as_ref());
+            network_proxy_config_from_network(cfg.network.as_ref());

        let feature_overrides = FeatureOverrides {
            include_apply_patch_tool: include_apply_patch_tool_override,
@@ -1779,42 +1871,113 @@ impl Config {
                }
            }
        });
-        let additional_writable_roots: Vec<AbsolutePathBuf> = additional_writable_roots
+        let mut additional_writable_roots: Vec<AbsolutePathBuf> = additional_writable_roots
            .into_iter()
            .map(|path| AbsolutePathBuf::resolve_path_against_base(path, &resolved_cwd))
            .collect::<Result<Vec<_>, _>>()?;
        let active_project = cfg
            .get_active_project(&resolved_cwd)
            .unwrap_or(ProjectConfig { trust_level: None });
+        let permission_config_syntax = resolve_permission_config_syntax(
+            &config_layer_stack,
+            &cfg,
+            sandbox_mode,
+            config_profile.sandbox_mode,
+        );
+        let has_permission_profiles = cfg
+            .permissions
+            .as_ref()
+            .is_some_and(|profiles| !profiles.is_empty());
+        if has_permission_profiles
+            && !matches!(
+                permission_config_syntax,
+                Some(PermissionConfigSyntax::Legacy)
+            )
+            && cfg.default_permissions.is_none()
+        {
+            return Err(std::io::Error::new(
+                std::io::ErrorKind::InvalidInput,
+                "config defines `[permissions]` profiles but does not set `default_permissions`",
+            ));
+        }

        let windows_sandbox_level = match windows_sandbox_mode {
            Some(WindowsSandboxModeToml::Elevated) => WindowsSandboxLevel::Elevated,
            Some(WindowsSandboxModeToml::Unelevated) => WindowsSandboxLevel::RestrictedToken,
            None => WindowsSandboxLevel::from_features(&features),
        };
-        let mut sandbox_policy = cfg.derive_sandbox_policy(
-            sandbox_mode,
-            config_profile.sandbox_mode,
-            windows_sandbox_level,
-            &resolved_cwd,
-            Some(&constrained_sandbox_policy),
-        );
-        if let SandboxPolicy::WorkspaceWrite { writable_roots, .. } = &mut sandbox_policy {
-            let memories_root = memory_root(&codex_home);
-            std::fs::create_dir_all(&memories_root)?;
-            let memories_root = AbsolutePathBuf::from_absolute_path(&memories_root)?;
-            if !writable_roots
-                .iter()
-                .any(|existing| existing == &memories_root)
-            {
-                writable_roots.push(memories_root);
-            }
-            for path in additional_writable_roots {
-                if !writable_roots.iter().any(|existing| existing == &path) {
-                    writable_roots.push(path);
-                }
-            }
+        let memories_root = memory_root(&codex_home);
+        std::fs::create_dir_all(&memories_root)?;
+        let memories_root = AbsolutePathBuf::from_absolute_path(&memories_root)?;
+        if !additional_writable_roots
+            .iter()
+            .any(|existing| existing == &memories_root)
+        {
+            additional_writable_roots.push(memories_root);
        }
+
+        let profiles_are_active = matches!(
+            permission_config_syntax,
+            Some(PermissionConfigSyntax::Profiles)
+        ) || (permission_config_syntax.is_none()
+            && has_permission_profiles);
+        let (sandbox_policy, file_system_sandbox_policy, network_sandbox_policy) =
+            if profiles_are_active {
+                let permissions = cfg.permissions.as_ref().ok_or_else(|| {
+                    std::io::Error::new(
+                        std::io::ErrorKind::InvalidInput,
+                        "default_permissions requires a `[permissions]` table",
+                    )
+                })?;
+                let default_permissions = cfg.default_permissions.as_deref().ok_or_else(|| {
+                    std::io::Error::new(
+                        std::io::ErrorKind::InvalidInput,
+                        "default_permissions requires a named permissions profile",
+                    )
+                })?;
+                let (mut file_system_sandbox_policy, network_sandbox_policy) =
+                    compile_permission_profile(permissions, default_permissions)?;
+                let mut sandbox_policy = file_system_sandbox_policy
+                    .to_legacy_sandbox_policy(network_sandbox_policy, &resolved_cwd)?;
+                if matches!(sandbox_policy, SandboxPolicy::WorkspaceWrite { .. }) {
+                    add_additional_file_system_writes(
+                        &mut file_system_sandbox_policy,
+                        &additional_writable_roots,
+                    );
+                    sandbox_policy = file_system_sandbox_policy
+                        .to_legacy_sandbox_policy(network_sandbox_policy, &resolved_cwd)?;
+                }
+                (
+                    sandbox_policy,
+                    file_system_sandbox_policy,
+                    network_sandbox_policy,
+                )
+            } else {
+                let mut sandbox_policy = cfg.derive_sandbox_policy(
+                    sandbox_mode,
+                    config_profile.sandbox_mode,
+                    windows_sandbox_level,
+                    &resolved_cwd,
+                    Some(&constrained_sandbox_policy),
+                );
+                if let SandboxPolicy::WorkspaceWrite { writable_roots, .. } = &mut sandbox_policy {
+                    for path in &additional_writable_roots {
+                        if !writable_roots.iter().any(|existing| existing == path) {
+                            writable_roots.push(path.clone());
+                        }
+                    }
+                }
+                let file_system_sandbox_policy = FileSystemSandboxPolicy::from(&sandbox_policy);
+                let network_sandbox_policy = NetworkSandboxPolicy::from(&sandbox_policy);
+                (
+                    sandbox_policy,
+                    file_system_sandbox_policy,
+                    network_sandbox_policy,
+                )
+            };
+        let approval_policy_was_explicit = approval_policy_override.is_some()
+            || config_profile.approval_policy.is_some()
+            || cfg.approval_policy.is_some();
        let mut approval_policy = approval_policy_override
            .or(config_profile.approval_policy)
            .or(cfg.approval_policy)
@@ -1827,7 +1990,9 @@ impl Config {
                    AskForApproval::default()
                }
            });
-        if let Err(err) = constrained_approval_policy.can_set(&approval_policy) {
+        if !approval_policy_was_explicit
+            && let Err(err) = constrained_approval_policy.can_set(&approval_policy)
+        {
            tracing::warn!(
                error = %err,
                "default approval policy is disallowed by requirements; falling back to required default"
@@ -2072,6 +2237,7 @@ impl Config {
            .map(AbsolutePathBuf::to_path_buf)
            .or_else(|| resolve_sqlite_home_env(&resolved_cwd))
            .unwrap_or_else(|| codex_home.to_path_buf());
+        let original_sandbox_policy = sandbox_policy.clone();

        apply_requirement_constrained_value(
            "approval_policy",
@@ -2119,6 +2285,19 @@ impl Config {
        } else {
            network.enabled().then_some(network)
        };
+        let effective_sandbox_policy = constrained_sandbox_policy.value.get().clone();
+        let effective_file_system_sandbox_policy =
+            if effective_sandbox_policy == original_sandbox_policy {
+                file_system_sandbox_policy
+            } else {
+                FileSystemSandboxPolicy::from(&effective_sandbox_policy)
+            };
+        let effective_network_sandbox_policy =
+            if effective_sandbox_policy == original_sandbox_policy {
+                network_sandbox_policy
+            } else {
+                NetworkSandboxPolicy::from(&effective_sandbox_policy)
+            };

        let config = Self {
            model,
@@ -2133,6 +2312,8 @@ impl Config {
            permissions: Permissions {
                approval_policy: constrained_approval_policy.value,
                sandbox_policy: constrained_sandbox_policy.value,
+                file_system_sandbox_policy: effective_file_system_sandbox_policy,
+                network_sandbox_policy: effective_network_sandbox_policy,
                network,
                allow_login_shell,
                shell_environment_policy,
--- a/codex-rs/core/src/config/permissions.rs
+++ b/codex-rs/core/src/config/permissions.rs
@@ -1,15 +1,64 @@
+use std::collections::BTreeMap;
+use std::io;
+use std::path::Component;
+use std::path::Path;
+use std::path::PathBuf;
+
 use codex_network_proxy::NetworkMode;
 use codex_network_proxy::NetworkProxyConfig;
+use codex_protocol::permissions::FileSystemAccessMode;
+use codex_protocol::permissions::FileSystemPath;
+use codex_protocol::permissions::FileSystemSandboxEntry;
+use codex_protocol::permissions::FileSystemSandboxPolicy;
+use codex_protocol::permissions::FileSystemSpecialPath;
+use codex_protocol::permissions::NetworkSandboxPolicy;
+use codex_utils_absolute_path::AbsolutePathBuf;
 use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;

 #[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[schemars(deny_unknown_fields)]
 pub struct PermissionsToml {
-    /// Network proxy settings from `[permissions.network]`.
-    /// User config can enable the proxy; managed requirements may still constrain values.
-    pub network: Option<NetworkToml>,
+    #[serde(flatten)]
+    pub entries: BTreeMap<String, PermissionProfileToml>,
+}
+
+impl PermissionsToml {
+    pub fn is_empty(&self) -> bool {
+        self.entries.is_empty()
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
+#[schemars(deny_unknown_fields)]
+pub struct PermissionProfileToml {
+    pub filesystem: Option<FilesystemPermissionsToml>,
+    pub network: Option<PermissionProfileNetworkToml>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
+pub struct FilesystemPermissionsToml {
+    #[serde(flatten)]
+    pub entries: BTreeMap<String, FilesystemPermissionToml>,
+}
+
+impl FilesystemPermissionsToml {
+    pub fn is_empty(&self) -> bool {
+        self.entries.is_empty()
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema)]
+#[serde(untagged)]
+pub enum FilesystemPermissionToml {
+    Access(FileSystemAccessMode),
+    Scoped(BTreeMap<String, FileSystemAccessMode>),
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
+#[schemars(deny_unknown_fields)]
+pub struct PermissionProfileNetworkToml {
+    pub enabled: Option<bool>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
@@ -91,13 +140,168 @@ impl NetworkToml {
    }
 }

-pub(crate) fn network_proxy_config_from_permissions(
-    permissions: Option<&PermissionsToml>,
+pub(crate) fn network_proxy_config_from_network(
+    network: Option<&NetworkToml>,
 ) -> NetworkProxyConfig {
-    permissions
-        .and_then(|permissions| permissions.network.as_ref())
-        .map_or_else(
-            NetworkProxyConfig::default,
-            NetworkToml::to_network_proxy_config,
-        )
+    network.map_or_else(
+        NetworkProxyConfig::default,
+        NetworkToml::to_network_proxy_config,
+    )
+}
+
+pub(crate) fn compile_permission_profile(
+    permissions: &PermissionsToml,
+    profile_name: &str,
+) -> io::Result<(FileSystemSandboxPolicy, NetworkSandboxPolicy)> {
+    let profile = permissions.entries.get(profile_name).ok_or_else(|| {
+        io::Error::new(
+            io::ErrorKind::InvalidInput,
+            format!("default_permissions refers to undefined profile `{profile_name}`"),
+        )
+    })?;
+
+    let filesystem = profile.filesystem.as_ref().ok_or_else(|| {
+        io::Error::new(
+            io::ErrorKind::InvalidInput,
+            format!(
+                "permissions profile `{profile_name}` must define a `[permissions.{profile_name}.filesystem]` table"
+            ),
+        )
+    })?;
+
+    if filesystem.is_empty() {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            format!(
+                "permissions profile `{profile_name}` must define at least one filesystem entry"
+            ),
+        ));
+    }
+
+    let mut entries = Vec::new();
+    for (path, permission) in &filesystem.entries {
+        compile_filesystem_permission(path, permission, &mut entries)?;
+    }
+
+    let network_sandbox_policy = compile_network_sandbox_policy(profile.network.as_ref());
+
+    Ok((
+        FileSystemSandboxPolicy::restricted(entries),
+        network_sandbox_policy,
+    ))
+}
+
+fn compile_network_sandbox_policy(
+    network: Option<&PermissionProfileNetworkToml>,
+) -> NetworkSandboxPolicy {
+    let Some(network) = network else {
+        return NetworkSandboxPolicy::Restricted;
+    };
+
+    match network.enabled {
+        Some(true) => NetworkSandboxPolicy::Enabled,
+        _ => NetworkSandboxPolicy::Restricted,
+    }
+}
+
+fn compile_filesystem_permission(
+    path: &str,
+    permission: &FilesystemPermissionToml,
+    entries: &mut Vec<FileSystemSandboxEntry>,
+) -> io::Result<()> {
+    match permission {
+        FilesystemPermissionToml::Access(access) => entries.push(FileSystemSandboxEntry {
+            path: compile_filesystem_path(path)?,
+            access: *access,
+        }),
+        FilesystemPermissionToml::Scoped(scoped_entries) => {
+            for (subpath, access) in scoped_entries {
+                entries.push(FileSystemSandboxEntry {
+                    path: compile_scoped_filesystem_path(path, subpath)?,
+                    access: *access,
+                });
+            }
+        }
+    }
+    Ok(())
+}
+
+fn compile_filesystem_path(path: &str) -> io::Result<FileSystemPath> {
+    if let Some(special) = parse_special_path(path)? {
+        return Ok(FileSystemPath::Special { value: special });
+    }
+
+    let path = parse_absolute_path(path)?;
+    Ok(FileSystemPath::Path { path })
+}
+
+fn compile_scoped_filesystem_path(path: &str, subpath: &str) -> io::Result<FileSystemPath> {
+    if subpath == "." {
+        return compile_filesystem_path(path);
+    }
+
+    if let Some(special) = parse_special_path(path)? {
+        if !matches!(special, FileSystemSpecialPath::ProjectRoots { .. }) {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                format!("filesystem path `{path}` does not support nested entries"),
+            ));
+        }
+        return Ok(FileSystemPath::Special {
+            value: FileSystemSpecialPath::project_roots(Some(parse_relative_subpath(subpath)?)),
+        });
+    }
+
+    let subpath = parse_relative_subpath(subpath)?;
+    let base = parse_absolute_path(path)?;
+    let path = AbsolutePathBuf::resolve_path_against_base(&subpath, base.as_path())?;
+    Ok(FileSystemPath::Path { path })
+}
+
+fn parse_special_path(path: &str) -> io::Result<Option<FileSystemSpecialPath>> {
+    let special = match path {
+        ":root" => Some(FileSystemSpecialPath::Root),
+        ":minimal" => Some(FileSystemSpecialPath::Minimal),
+        ":project_roots" => Some(FileSystemSpecialPath::project_roots(None)),
+        ":tmpdir" => Some(FileSystemSpecialPath::Tmpdir),
+        _ if path.starts_with(':') => {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                format!("unknown filesystem special path `{path}`"),
+            ));
+        }
+        _ => None,
+    };
+
+    Ok(special)
+}
+
+fn parse_absolute_path(path: &str) -> io::Result<AbsolutePathBuf> {
+    let path_ref = Path::new(path);
+    if !path_ref.is_absolute() && path != "~" && !path.starts_with("~/") {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            format!("filesystem path `{path}` must be absolute, use `~/...`, or start with `:`"),
+        ));
+    }
+    AbsolutePathBuf::from_absolute_path(path_ref)
+}
+
+fn parse_relative_subpath(subpath: &str) -> io::Result<PathBuf> {
+    let path = Path::new(subpath);
+    if !subpath.is_empty()
+        && path
+            .components()
+            .all(|component| matches!(component, Component::Normal(_)))
+    {
+        return Ok(path.to_path_buf());
+    }
+
+    Err(io::Error::new(
+        io::ErrorKind::InvalidInput,
+        format!(
+            "filesystem subpath `{}` must be a descendant path without `.` or `..` components",
+            path.display()
+        ),
+    ))
 }
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -24,6 +24,9 @@ use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecCommandOutputDeltaEvent;
 use crate::protocol::ExecOutputStream;
+use crate::protocol::FileSystemSandboxKind;
+use crate::protocol::FileSystemSandboxPolicy;
+use crate::protocol::NetworkSandboxPolicy;
 use crate::protocol::SandboxPolicy;
 use crate::sandboxing::CommandSpec;
 use crate::sandboxing::ExecRequest;
@@ -149,9 +152,12 @@ pub struct StdoutStream {
    pub tx_event: Sender<Event>,
 }

+#[allow(clippy::too_many_arguments)]
 pub async fn process_exec_tool_call(
    params: ExecParams,
    sandbox_policy: &SandboxPolicy,
+    file_system_sandbox_policy: &FileSystemSandboxPolicy,
+    network_sandbox_policy: NetworkSandboxPolicy,
    sandbox_cwd: &Path,
    codex_linux_sandbox_exe: &Option<PathBuf>,
    use_linux_sandbox_bwrap: bool,
@@ -159,8 +165,8 @@ pub async fn process_exec_tool_call(
 ) -> Result<ExecToolCallOutput> {
    let windows_sandbox_level = params.windows_sandbox_level;
    let enforce_managed_network = params.network.is_some();
-    let sandbox_type = match &sandbox_policy {
-        SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
+    let sandbox_type = match file_system_sandbox_policy.kind {
+        FileSystemSandboxKind::Unrestricted | FileSystemSandboxKind::ExternalSandbox => {
            if enforce_managed_network {
                get_platform_sandbox(
                    windows_sandbox_level
@@ -215,6 +221,8 @@ pub async fn process_exec_tool_call(
        .transform(crate::sandboxing::SandboxTransformRequest {
            spec,
            policy: sandbox_policy,
+            file_system_policy: file_system_sandbox_policy,
+            network_policy: network_sandbox_policy,
            sandbox: sandbox_type,
            enforce_managed_network,
            network: network.as_ref(),
@@ -247,9 +255,12 @@ pub(crate) async fn execute_exec_request(
        windows_sandbox_level,
        sandbox_permissions,
        sandbox_policy: _sandbox_policy_from_env,
+        file_system_sandbox_policy,
+        network_sandbox_policy,
        justification,
        arg0,
    } = exec_request;
+    let _ = _sandbox_policy_from_env;

    let params = ExecParams {
        command,
@@ -264,7 +275,16 @@ pub(crate) async fn execute_exec_request(
    };

    let start = Instant::now();
-    let raw_output_result = exec(params, sandbox, sandbox_policy, stdout_stream, after_spawn).await;
+    let raw_output_result = exec(
+        params,
+        sandbox,
+        sandbox_policy,
+        &file_system_sandbox_policy,
+        network_sandbox_policy,
+        stdout_stream,
+        after_spawn,
+    )
+    .await;
    let duration = start.elapsed();
    finalize_exec_result(raw_output_result, sandbox, duration)
 }
@@ -693,16 +713,17 @@ async fn exec(
    params: ExecParams,
    sandbox: SandboxType,
    sandbox_policy: &SandboxPolicy,
+    file_system_sandbox_policy: &FileSystemSandboxPolicy,
+    network_sandbox_policy: NetworkSandboxPolicy,
    stdout_stream: Option<StdoutStream>,
    after_spawn: Option<Box<dyn FnOnce() + Send>>,
 ) -> Result<RawExecToolCallOutput> {
    #[cfg(target_os = "windows")]
-    if sandbox == SandboxType::WindowsRestrictedToken
-        && !matches!(
-            sandbox_policy,
-            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
-        )
-    {
+    if should_use_windows_restricted_token_sandbox(
+        sandbox,
+        sandbox_policy,
+        file_system_sandbox_policy,
+    ) {
        return exec_windows_sandbox(params, sandbox_policy).await;
    }
    let ExecParams {
@@ -731,7 +752,7 @@ async fn exec(
        args: args.into(),
        arg0: arg0_ref,
        cwd,
-        sandbox_policy,
+        network_sandbox_policy,
        // The environment already has attempt-scoped proxy settings from
        // apply_to_env_for_attempt above. Passing network here would reapply
        // non-attempt proxy vars and drop attempt correlation metadata.
@@ -746,6 +767,20 @@ async fn exec(
    consume_truncated_output(child, expiration, stdout_stream).await
 }

+#[cfg_attr(not(target_os = "windows"), allow(dead_code))]
+fn should_use_windows_restricted_token_sandbox(
+    sandbox: SandboxType,
+    sandbox_policy: &SandboxPolicy,
+    file_system_sandbox_policy: &FileSystemSandboxPolicy,
+) -> bool {
+    sandbox == SandboxType::WindowsRestrictedToken
+        && file_system_sandbox_policy.kind == FileSystemSandboxKind::Restricted
+        && !matches!(
+            sandbox_policy,
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+        )
+}
+
 /// Consumes the output of a child process, truncating it so it is suitable for
 /// use as the output of a `shell` tool call. Also enforces specified timeout.
 async fn consume_truncated_output(
@@ -1098,6 +1133,38 @@ mod tests {
        assert_eq!(aggregated.truncated_after_lines, None);
    }

+    #[test]
+    fn windows_restricted_token_skips_external_sandbox_policies() {
+        let policy = SandboxPolicy::ExternalSandbox {
+            network_access: codex_protocol::protocol::NetworkAccess::Restricted,
+        };
+        let file_system_policy = FileSystemSandboxPolicy::restricted(vec![]);
+
+        assert_eq!(
+            should_use_windows_restricted_token_sandbox(
+                SandboxType::WindowsRestrictedToken,
+                &policy,
+                &file_system_policy,
+            ),
+            false
+        );
+    }
+
+    #[test]
+    fn windows_restricted_token_runs_for_legacy_restricted_policies() {
+        let policy = SandboxPolicy::new_read_only_policy();
+        let file_system_policy = FileSystemSandboxPolicy::restricted(vec![]);
+
+        assert_eq!(
+            should_use_windows_restricted_token_sandbox(
+                SandboxType::WindowsRestrictedToken,
+                &policy,
+                &file_system_policy,
+            ),
+            true
+        );
+    }
+
    #[cfg(unix)]
    #[test]
    fn sandbox_detection_flags_sigsys_exit_code() {
@@ -1140,6 +1207,8 @@ mod tests {
            params,
            SandboxType::None,
            &SandboxPolicy::new_read_only_policy(),
+            &FileSystemSandboxPolicy::from(&SandboxPolicy::new_read_only_policy()),
+            NetworkSandboxPolicy::Restricted,
            None,
            None,
        )
@@ -1196,6 +1265,8 @@ mod tests {
        let result = process_exec_tool_call(
            params,
            &SandboxPolicy::DangerFullAccess,
+            &FileSystemSandboxPolicy::from(&SandboxPolicy::DangerFullAccess),
+            NetworkSandboxPolicy::Enabled,
            cwd.as_path(),
            &None,
            false,
--- a/codex-rs/core/src/landlock.rs
+++ b/codex-rs/core/src/landlock.rs
@@ -1,3 +1,4 @@
+use crate::protocol::NetworkSandboxPolicy;
 use crate::protocol::SandboxPolicy;
 use crate::spawn::SpawnChildRequest;
 use crate::spawn::StdioPolicy;
@@ -44,7 +45,7 @@ where
        args,
        arg0,
        cwd: command_cwd,
-        sandbox_policy,
+        network_sandbox_policy: NetworkSandboxPolicy::from(sandbox_policy),
        network,
        stdio_policy,
        env,
--- a/codex-rs/core/src/network_proxy_loader.rs
+++ b/codex-rs/core/src/network_proxy_loader.rs
@@ -1,5 +1,4 @@
 use crate::config::NetworkToml;
-use crate::config::PermissionsToml;
 use crate::config::find_codex_home;
 use crate::config_loader::CloudRequirementsLoader;
 use crate::config_loader::ConfigLayerStack;
@@ -121,12 +120,6 @@ fn network_constraints_from_trusted_layers(
        if let Some(network) = parsed.network {
            apply_network_constraints(network, &mut constraints);
        }
-        if let Some(network) = parsed
-            .permissions
-            .and_then(|permissions| permissions.network)
-        {
-            apply_network_constraints(network, &mut constraints);
-        }
    }
    Ok(constraints)
 }
@@ -166,7 +159,6 @@ fn apply_network_constraints(network: NetworkToml, constraints: &mut NetworkProx
 #[derive(Debug, Clone, Default, Deserialize)]
 struct NetworkTablesToml {
    network: Option<NetworkToml>,
-    permissions: Option<PermissionsToml>,
 }

 fn network_tables_from_toml(value: &toml::Value) -> Result<NetworkTablesToml> {
@@ -180,12 +172,6 @@ fn apply_network_tables(config: &mut NetworkProxyConfig, parsed: NetworkTablesTo
    if let Some(network) = parsed.network {
        network.apply_to_network_proxy_config(config);
    }
-    if let Some(network) = parsed
-        .permissions
-        .and_then(|permissions| permissions.network)
-    {
-        network.apply_to_network_proxy_config(config);
-    }
 }

 fn config_from_layers(
@@ -310,10 +296,10 @@ mod tests {
    use pretty_assertions::assert_eq;

    #[test]
-    fn higher_precedence_network_table_beats_lower_permissions_network_table() {
-        let lower_permissions: toml::Value = toml::from_str(
+    fn higher_precedence_network_table_beats_lower_network_table() {
+        let lower_network: toml::Value = toml::from_str(
            r#"
-[permissions.network]
+[network]
 allowed_domains = ["lower.example.com"]
 "#,
        )
@@ -329,7 +315,7 @@ allowed_domains = ["higher.example.com"]
        let mut config = NetworkProxyConfig::default();
        apply_network_tables(
            &mut config,
-            network_tables_from_toml(&lower_permissions).expect("lower layer should deserialize"),
+            network_tables_from_toml(&lower_network).expect("lower layer should deserialize"),
        );
        apply_network_tables(
            &mut config,
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -15,6 +15,13 @@ use crate::exec::StdoutStream;
 use crate::exec::execute_exec_request;
 use crate::landlock::allow_network_for_proxy;
 use crate::landlock::create_linux_sandbox_command_args;
+use crate::protocol::FileSystemAccessMode;
+use crate::protocol::FileSystemPath;
+use crate::protocol::FileSystemSandboxEntry;
+use crate::protocol::FileSystemSandboxKind;
+use crate::protocol::FileSystemSandboxPolicy;
+use crate::protocol::FileSystemSpecialPathKind;
+use crate::protocol::NetworkSandboxPolicy;
 use crate::protocol::SandboxPolicy;
 #[cfg(target_os = "macos")]
 use crate::seatbelt::MACOS_PATH_TO_SEATBELT_EXECUTABLE;
@@ -30,6 +37,7 @@ use codex_protocol::models::FileSystemPermissions;
 use codex_protocol::models::MacOsSeatbeltProfileExtensions;
 use codex_protocol::models::PermissionProfile;
 pub use codex_protocol::models::SandboxPermissions;
+use codex_protocol::protocol::NetworkAccess;
 use codex_protocol::protocol::ReadOnlyAccess;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use dunce::canonicalize;
@@ -62,6 +70,8 @@ pub struct ExecRequest {
    pub windows_sandbox_level: WindowsSandboxLevel,
    pub sandbox_permissions: SandboxPermissions,
    pub sandbox_policy: SandboxPolicy,
+    pub file_system_sandbox_policy: FileSystemSandboxPolicy,
+    pub network_sandbox_policy: NetworkSandboxPolicy,
    pub justification: Option<String>,
    pub arg0: Option<String>,
 }
@@ -72,6 +82,8 @@ pub struct ExecRequest {
 pub(crate) struct SandboxTransformRequest<'a> {
    pub spec: CommandSpec,
    pub policy: &'a SandboxPolicy,
+    pub file_system_policy: &'a FileSystemSandboxPolicy,
+    pub network_policy: NetworkSandboxPolicy,
    pub sandbox: SandboxType,
    pub enforce_managed_network: bool,
    // TODO(viyatb): Evaluate switching this to Option<Arc<NetworkProxy>>
@@ -203,6 +215,41 @@ fn additional_permission_roots(
    )
 }

+#[cfg_attr(not(test), allow(dead_code))]
+fn merge_file_system_policy_with_additional_permissions(
+    file_system_policy: &FileSystemSandboxPolicy,
+    extra_reads: Vec<AbsolutePathBuf>,
+    extra_writes: Vec<AbsolutePathBuf>,
+) -> FileSystemSandboxPolicy {
+    match file_system_policy.kind {
+        FileSystemSandboxKind::Restricted => {
+            let mut merged_policy = file_system_policy.clone();
+            for path in extra_reads {
+                let entry = FileSystemSandboxEntry {
+                    path: FileSystemPath::Path { path },
+                    access: FileSystemAccessMode::Read,
+                };
+                if !merged_policy.entries.contains(&entry) {
+                    merged_policy.entries.push(entry);
+                }
+            }
+            for path in extra_writes {
+                let entry = FileSystemSandboxEntry {
+                    path: FileSystemPath::Path { path },
+                    access: FileSystemAccessMode::Write,
+                };
+                if !merged_policy.entries.contains(&entry) {
+                    merged_policy.entries.push(entry);
+                }
+            }
+            merged_policy
+        }
+        FileSystemSandboxKind::Unrestricted | FileSystemSandboxKind::ExternalSandbox => {
+            file_system_policy.clone()
+        }
+    }
+}
+
 fn merge_read_only_access_with_additional_reads(
    read_only_access: &ReadOnlyAccess,
    extra_reads: Vec<AbsolutePathBuf>,
@@ -246,9 +293,17 @@ fn sandbox_policy_with_additional_permissions(
    let (extra_reads, extra_writes) = additional_permission_roots(additional_permissions);

    match sandbox_policy {
-        SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
-            sandbox_policy.clone()
-        }
+        SandboxPolicy::DangerFullAccess => SandboxPolicy::DangerFullAccess,
+        SandboxPolicy::ExternalSandbox { network_access } => SandboxPolicy::ExternalSandbox {
+            network_access: if merge_network_access(
+                network_access.is_enabled(),
+                additional_permissions,
+            ) {
+                NetworkAccess::Enabled
+            } else {
+                NetworkAccess::Restricted
+            },
+        },
        SandboxPolicy::WorkspaceWrite {
            writable_roots,
            read_only_access,
@@ -297,6 +352,36 @@ fn sandbox_policy_with_additional_permissions(
    }
 }

+pub(crate) fn should_require_platform_sandbox(
+    file_system_policy: &FileSystemSandboxPolicy,
+    network_policy: NetworkSandboxPolicy,
+    has_managed_network_requirements: bool,
+) -> bool {
+    if has_managed_network_requirements {
+        return true;
+    }
+
+    if !network_policy.is_enabled() {
+        return !matches!(
+            file_system_policy.kind,
+            FileSystemSandboxKind::ExternalSandbox
+        );
+    }
+
+    match file_system_policy.kind {
+        FileSystemSandboxKind::Restricted => !file_system_policy.entries.iter().any(|entry| {
+            entry.access == FileSystemAccessMode::Write
+                && matches!(
+                    &entry.path,
+                    FileSystemPath::Special { value }
+                        if value.kind == FileSystemSpecialPathKind::Root
+                            && value.subpath.is_none()
+                )
+        }),
+        FileSystemSandboxKind::Unrestricted | FileSystemSandboxKind::ExternalSandbox => false,
+    }
+}
+
 #[derive(Default)]
 pub struct SandboxManager;

@@ -307,7 +392,8 @@ impl SandboxManager {

    pub(crate) fn select_initial(
        &self,
-        policy: &SandboxPolicy,
+        file_system_policy: &FileSystemSandboxPolicy,
+        network_policy: NetworkSandboxPolicy,
        pref: SandboxablePreference,
        windows_sandbox_level: WindowsSandboxLevel,
        has_managed_network_requirements: bool,
@@ -322,22 +408,20 @@ impl SandboxManager {
                )
                .unwrap_or(SandboxType::None)
            }
-            SandboxablePreference::Auto => match policy {
-                SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
-                    if has_managed_network_requirements {
-                        crate::safety::get_platform_sandbox(
-                            windows_sandbox_level != WindowsSandboxLevel::Disabled,
-                        )
-                        .unwrap_or(SandboxType::None)
-                    } else {
-                        SandboxType::None
-                    }
+            SandboxablePreference::Auto => {
+                if should_require_platform_sandbox(
+                    file_system_policy,
+                    network_policy,
+                    has_managed_network_requirements,
+                ) {
+                    crate::safety::get_platform_sandbox(
+                        windows_sandbox_level != WindowsSandboxLevel::Disabled,
+                    )
+                    .unwrap_or(SandboxType::None)
+                } else {
+                    SandboxType::None
                }
-                _ => crate::safety::get_platform_sandbox(
-                    windows_sandbox_level != WindowsSandboxLevel::Disabled,
-                )
-                .unwrap_or(SandboxType::None),
-            },
+            }
        }
    }

@@ -348,6 +432,8 @@ impl SandboxManager {
        let SandboxTransformRequest {
            mut spec,
            policy,
+            file_system_policy,
+            network_policy,
            sandbox,
            enforce_managed_network,
            network,
@@ -360,16 +446,38 @@ impl SandboxManager {
        } = request;
        #[cfg(not(target_os = "macos"))]
        let macos_seatbelt_profile_extensions = None;
-        let effective_permissions = EffectiveSandboxPermissions::new(
+        let additional_permissions = spec.additional_permissions.take();
+        let EffectiveSandboxPermissions {
+            sandbox_policy: effective_policy,
+            macos_seatbelt_profile_extensions: effective_macos_seatbelt_profile_extensions,
+        } = EffectiveSandboxPermissions::new(
            policy,
            macos_seatbelt_profile_extensions,
-            spec.additional_permissions.as_ref(),
+            additional_permissions.as_ref(),
        );
+        let (effective_file_system_policy, effective_network_policy) =
+            if let Some(additional_permissions) = additional_permissions {
+                let (extra_reads, extra_writes) =
+                    additional_permission_roots(&additional_permissions);
+                let file_system_sandbox_policy =
+                    if extra_reads.is_empty() && extra_writes.is_empty() {
+                        file_system_policy.clone()
+                    } else {
+                        match file_system_policy.kind {
+                            FileSystemSandboxKind::Restricted => {
+                                FileSystemSandboxPolicy::from(&effective_policy)
+                            }
+                            FileSystemSandboxKind::Unrestricted
+                            | FileSystemSandboxKind::ExternalSandbox => file_system_policy.clone(),
+                        }
+                    };
+                let network_sandbox_policy = NetworkSandboxPolicy::from(&effective_policy);
+                (file_system_sandbox_policy, network_sandbox_policy)
+            } else {
+                (file_system_policy.clone(), network_policy)
+            };
        let mut env = spec.env;
-        if !effective_permissions
-            .sandbox_policy
-            .has_full_network_access()
-        {
+        if !effective_network_policy.is_enabled() {
            env.insert(
                CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR.to_string(),
                "1".to_string(),
@@ -388,13 +496,11 @@ impl SandboxManager {
                seatbelt_env.insert(CODEX_SANDBOX_ENV_VAR.to_string(), "seatbelt".to_string());
                let mut args = create_seatbelt_command_args_with_extensions(
                    command.clone(),
-                    &effective_permissions.sandbox_policy,
+                    &effective_policy,
                    sandbox_policy_cwd,
                    enforce_managed_network,
                    network,
-                    effective_permissions
-                        .macos_seatbelt_profile_extensions
-                        .as_ref(),
+                    effective_macos_seatbelt_profile_extensions.as_ref(),
                );
                let mut full_command = Vec::with_capacity(1 + args.len());
                full_command.push(MACOS_PATH_TO_SEATBELT_EXECUTABLE.to_string());
@@ -409,7 +515,7 @@ impl SandboxManager {
                let allow_proxy_network = allow_network_for_proxy(enforce_managed_network);
                let mut args = create_linux_sandbox_command_args(
                    command.clone(),
-                    &effective_permissions.sandbox_policy,
+                    &effective_policy,
                    sandbox_policy_cwd,
                    use_linux_sandbox_bwrap,
                    allow_proxy_network,
@@ -444,7 +550,9 @@ impl SandboxManager {
            sandbox,
            windows_sandbox_level,
            sandbox_permissions: spec.sandbox_permissions,
-            sandbox_policy: effective_permissions.sandbox_policy,
+            sandbox_policy: effective_policy,
+            file_system_sandbox_policy: effective_file_system_policy,
+            network_sandbox_policy: effective_network_policy,
            justification: spec.justification,
            arg0: arg0_override,
        })
@@ -477,9 +585,19 @@ mod tests {
    #[cfg(target_os = "macos")]
    use super::EffectiveSandboxPermissions;
    use super::SandboxManager;
+    use super::merge_file_system_policy_with_additional_permissions;
    use super::normalize_additional_permissions;
    use super::sandbox_policy_with_additional_permissions;
+    use super::should_require_platform_sandbox;
    use crate::exec::SandboxType;
+    use crate::protocol::FileSystemAccessMode;
+    use crate::protocol::FileSystemPath;
+    use crate::protocol::FileSystemSandboxEntry;
+    use crate::protocol::FileSystemSandboxPolicy;
+    use crate::protocol::FileSystemSpecialPath;
+    use crate::protocol::FileSystemSpecialPathKind;
+    use crate::protocol::NetworkAccess;
+    use crate::protocol::NetworkSandboxPolicy;
    use crate::protocol::ReadOnlyAccess;
    use crate::protocol::SandboxPolicy;
    use crate::tools::sandboxing::SandboxablePreference;
@@ -496,13 +614,15 @@ mod tests {
    use codex_utils_absolute_path::AbsolutePathBuf;
    use dunce::canonicalize;
    use pretty_assertions::assert_eq;
+    use std::collections::HashMap;
    use tempfile::TempDir;

    #[test]
    fn danger_full_access_defaults_to_no_sandbox_without_network_requirements() {
        let manager = SandboxManager::new();
        let sandbox = manager.select_initial(
-            &SandboxPolicy::DangerFullAccess,
+            &FileSystemSandboxPolicy::unrestricted(),
+            NetworkSandboxPolicy::Enabled,
            SandboxablePreference::Auto,
            WindowsSandboxLevel::Disabled,
            false,
@@ -515,7 +635,8 @@ mod tests {
        let manager = SandboxManager::new();
        let expected = crate::safety::get_platform_sandbox(false).unwrap_or(SandboxType::None);
        let sandbox = manager.select_initial(
-            &SandboxPolicy::DangerFullAccess,
+            &FileSystemSandboxPolicy::unrestricted(),
+            NetworkSandboxPolicy::Enabled,
            SandboxablePreference::Auto,
            WindowsSandboxLevel::Disabled,
            true,
@@ -523,6 +644,107 @@ mod tests {
        assert_eq!(sandbox, expected);
    }

+    #[test]
+    fn restricted_file_system_uses_platform_sandbox_without_managed_network() {
+        let manager = SandboxManager::new();
+        let expected = crate::safety::get_platform_sandbox(false).unwrap_or(SandboxType::None);
+        let sandbox = manager.select_initial(
+            &FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
+                path: FileSystemPath::Special {
+                    value: FileSystemSpecialPath {
+                        kind: FileSystemSpecialPathKind::Root,
+                        subpath: None,
+                    },
+                },
+                access: FileSystemAccessMode::Read,
+            }]),
+            NetworkSandboxPolicy::Enabled,
+            SandboxablePreference::Auto,
+            WindowsSandboxLevel::Disabled,
+            false,
+        );
+        assert_eq!(sandbox, expected);
+    }
+
+    #[test]
+    fn full_access_restricted_policy_skips_platform_sandbox_when_network_is_enabled() {
+        let policy = FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
+            path: FileSystemPath::Special {
+                value: FileSystemSpecialPath {
+                    kind: FileSystemSpecialPathKind::Root,
+                    subpath: None,
+                },
+            },
+            access: FileSystemAccessMode::Write,
+        }]);
+
+        assert_eq!(
+            should_require_platform_sandbox(&policy, NetworkSandboxPolicy::Enabled, false),
+            false
+        );
+    }
+
+    #[test]
+    fn full_access_restricted_policy_still_uses_platform_sandbox_for_restricted_network() {
+        let policy = FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
+            path: FileSystemPath::Special {
+                value: FileSystemSpecialPath {
+                    kind: FileSystemSpecialPathKind::Root,
+                    subpath: None,
+                },
+            },
+            access: FileSystemAccessMode::Write,
+        }]);
+
+        assert_eq!(
+            should_require_platform_sandbox(&policy, NetworkSandboxPolicy::Restricted, false),
+            true
+        );
+    }
+
+    #[test]
+    fn transform_preserves_unrestricted_file_system_policy_for_restricted_network() {
+        let manager = SandboxManager::new();
+        let cwd = std::env::current_dir().expect("current dir");
+        let exec_request = manager
+            .transform(super::SandboxTransformRequest {
+                spec: super::CommandSpec {
+                    program: "true".to_string(),
+                    args: Vec::new(),
+                    cwd: cwd.clone(),
+                    env: HashMap::new(),
+                    expiration: crate::exec::ExecExpiration::DefaultTimeout,
+                    sandbox_permissions: super::SandboxPermissions::UseDefault,
+                    additional_permissions: None,
+                    justification: None,
+                },
+                policy: &SandboxPolicy::ExternalSandbox {
+                    network_access: crate::protocol::NetworkAccess::Restricted,
+                },
+                file_system_policy: &FileSystemSandboxPolicy::unrestricted(),
+                network_policy: NetworkSandboxPolicy::Restricted,
+                sandbox: SandboxType::None,
+                enforce_managed_network: false,
+                network: None,
+                sandbox_policy_cwd: cwd.as_path(),
+                #[cfg(target_os = "macos")]
+                macos_seatbelt_profile_extensions: None,
+                codex_linux_sandbox_exe: None,
+                use_linux_sandbox_bwrap: false,
+                windows_sandbox_level: WindowsSandboxLevel::Disabled,
+            })
+            .expect("transform");
+
+        assert_eq!(
+            exec_request.file_system_sandbox_policy,
+            FileSystemSandboxPolicy::unrestricted()
+        );
+        assert_eq!(
+            exec_request.network_sandbox_policy,
+            NetworkSandboxPolicy::Restricted
+        );
+    }
+
    #[test]
    fn normalize_additional_permissions_preserves_network() {
        let temp_dir = TempDir::new().expect("create temp dir");
@@ -624,7 +846,6 @@ mod tests {
            }
        );
    }
-
    #[cfg(target_os = "macos")]
    #[test]
    fn effective_permissions_merge_macos_extensions_with_additional_permissions() {
@@ -679,4 +900,141 @@ mod tests {
            })
        );
    }
+
+    #[test]
+    fn external_sandbox_additional_permissions_can_enable_network() {
+        let temp_dir = TempDir::new().expect("create temp dir");
+        let path = AbsolutePathBuf::from_absolute_path(
+            canonicalize(temp_dir.path()).expect("canonicalize temp dir"),
+        )
+        .expect("absolute temp dir");
+        let policy = sandbox_policy_with_additional_permissions(
+            &SandboxPolicy::ExternalSandbox {
+                network_access: NetworkAccess::Restricted,
+            },
+            &PermissionProfile {
+                network: Some(NetworkPermissions {
+                    enabled: Some(true),
+                }),
+                file_system: Some(FileSystemPermissions {
+                    read: Some(vec![path]),
+                    write: Some(Vec::new()),
+                }),
+                ..Default::default()
+            },
+        );
+
+        assert_eq!(
+            policy,
+            SandboxPolicy::ExternalSandbox {
+                network_access: NetworkAccess::Enabled,
+            }
+        );
+    }
+
+    #[test]
+    fn transform_additional_permissions_enable_network_for_external_sandbox() {
+        let manager = SandboxManager::new();
+        let cwd = std::env::current_dir().expect("current dir");
+        let temp_dir = TempDir::new().expect("create temp dir");
+        let path = AbsolutePathBuf::from_absolute_path(
+            canonicalize(temp_dir.path()).expect("canonicalize temp dir"),
+        )
+        .expect("absolute temp dir");
+        let exec_request = manager
+            .transform(super::SandboxTransformRequest {
+                spec: super::CommandSpec {
+                    program: "true".to_string(),
+                    args: Vec::new(),
+                    cwd: cwd.clone(),
+                    env: HashMap::new(),
+                    expiration: crate::exec::ExecExpiration::DefaultTimeout,
+                    sandbox_permissions: super::SandboxPermissions::WithAdditionalPermissions,
+                    additional_permissions: Some(PermissionProfile {
+                        network: Some(NetworkPermissions {
+                            enabled: Some(true),
+                        }),
+                        file_system: Some(FileSystemPermissions {
+                            read: Some(vec![path]),
+                            write: Some(Vec::new()),
+                        }),
+                        ..Default::default()
+                    }),
+                    justification: None,
+                },
+                policy: &SandboxPolicy::ExternalSandbox {
+                    network_access: NetworkAccess::Restricted,
+                },
+                file_system_policy: &FileSystemSandboxPolicy::unrestricted(),
+                network_policy: NetworkSandboxPolicy::Restricted,
+                sandbox: SandboxType::None,
+                enforce_managed_network: false,
+                network: None,
+                sandbox_policy_cwd: cwd.as_path(),
+                #[cfg(target_os = "macos")]
+                macos_seatbelt_profile_extensions: None,
+                codex_linux_sandbox_exe: None,
+                use_linux_sandbox_bwrap: false,
+                windows_sandbox_level: WindowsSandboxLevel::Disabled,
+            })
+            .expect("transform");
+
+        assert_eq!(
+            exec_request.sandbox_policy,
+            SandboxPolicy::ExternalSandbox {
+                network_access: NetworkAccess::Enabled,
+            }
+        );
+        assert_eq!(
+            exec_request.network_sandbox_policy,
+            NetworkSandboxPolicy::Enabled
+        );
+    }
+
+    #[test]
+    fn merge_file_system_policy_with_additional_permissions_preserves_unreadable_roots() {
+        let temp_dir = TempDir::new().expect("create temp dir");
+        let cwd = AbsolutePathBuf::from_absolute_path(
+            canonicalize(temp_dir.path()).expect("canonicalize temp dir"),
+        )
+        .expect("absolute temp dir");
+        let allowed_path = cwd.join("allowed").expect("allowed path");
+        let denied_path = cwd.join("denied").expect("denied path");
+        let merged_policy = merge_file_system_policy_with_additional_permissions(
+            &FileSystemSandboxPolicy::restricted(vec![
+                FileSystemSandboxEntry {
+                    path: FileSystemPath::Special {
+                        value: FileSystemSpecialPath {
+                            kind: FileSystemSpecialPathKind::Root,
+                            subpath: None,
+                        },
+                    },
+                    access: FileSystemAccessMode::Read,
+                },
+                FileSystemSandboxEntry {
+                    path: FileSystemPath::Path {
+                        path: denied_path.clone(),
+                    },
+                    access: FileSystemAccessMode::None,
+                },
+            ]),
+            vec![allowed_path.clone()],
+            Vec::new(),
+        );
+
+        assert_eq!(
+            merged_policy.entries.contains(&FileSystemSandboxEntry {
+                path: FileSystemPath::Path { path: denied_path },
+                access: FileSystemAccessMode::None,
+            }),
+            true
+        );
+        assert_eq!(
+            merged_policy.entries.contains(&FileSystemSandboxEntry {
+                path: FileSystemPath::Path { path: allowed_path },
+                access: FileSystemAccessMode::Read,
+            }),
+            true
+        );
+    }
 }
--- a/codex-rs/core/src/seatbelt.rs
+++ b/codex-rs/core/src/seatbelt.rs
@@ -15,6 +15,7 @@ use tokio::process::Child;
 use tracing::warn;
 use url::Url;

+use crate::protocol::NetworkSandboxPolicy;
 use crate::protocol::SandboxPolicy;
 use crate::seatbelt_permissions::MacOsSeatbeltProfileExtensions;
 use crate::seatbelt_permissions::build_seatbelt_extensions;
@@ -51,7 +52,7 @@ pub async fn spawn_command_under_seatbelt(
        args,
        arg0,
        cwd: command_cwd,
-        sandbox_policy,
+        network_sandbox_policy: NetworkSandboxPolicy::from(sandbox_policy),
        network,
        stdio_policy,
        env,
--- a/codex-rs/core/src/spawn.rs
+++ b/codex-rs/core/src/spawn.rs
@@ -6,13 +6,13 @@ use tokio::process::Child;
 use tokio::process::Command;
 use tracing::trace;

-use crate::protocol::SandboxPolicy;
+use crate::protocol::NetworkSandboxPolicy;

 /// Experimental environment variable that will be set to some non-empty value
 /// if both of the following are true:
 ///
 /// 1. The process was spawned by Codex as part of a shell tool call.
-/// 2. SandboxPolicy.has_full_network_access() was false for the tool call.
+/// 2. NetworkSandboxPolicy is restricted for the tool call.
 ///
 /// We may try to have just one environment variable for all sandboxing
 /// attributes, so this may change in the future.
@@ -33,15 +33,15 @@ pub enum StdioPolicy {
 /// ensuring the args and environment variables used to create the `Command`
 /// (and `Child`) honor the configuration.
 ///
-/// For now, we take `SandboxPolicy` as a parameter to spawn_child() because
-/// we need to determine whether to set the
+/// For now, we take `NetworkSandboxPolicy` as a parameter to spawn_child()
+/// because we need to determine whether to set the
 /// `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` environment variable.
 pub(crate) struct SpawnChildRequest<'a> {
    pub program: PathBuf,
    pub args: Vec<String>,
    pub arg0: Option<&'a str>,
    pub cwd: PathBuf,
-    pub sandbox_policy: &'a SandboxPolicy,
+    pub network_sandbox_policy: NetworkSandboxPolicy,
    pub network: Option<&'a NetworkProxy>,
    pub stdio_policy: StdioPolicy,
    pub env: HashMap<String, String>,
@@ -53,14 +53,14 @@ pub(crate) async fn spawn_child_async(request: SpawnChildRequest<'_>) -> std::io
        args,
        arg0,
        cwd,
-        sandbox_policy,
+        network_sandbox_policy,
        network,
        stdio_policy,
        mut env,
    } = request;

    trace!(
-        "spawn_child_async: {program:?} {args:?} {arg0:?} {cwd:?} {sandbox_policy:?} {stdio_policy:?} {env:?}"
+        "spawn_child_async: {program:?} {args:?} {arg0:?} {cwd:?} {network_sandbox_policy:?} {stdio_policy:?} {env:?}"
    );

    let mut cmd = Command::new(&program);
@@ -74,7 +74,7 @@ pub(crate) async fn spawn_child_async(request: SpawnChildRequest<'_>) -> std::io
    cmd.env_clear();
    cmd.envs(env);

-    if !sandbox_policy.has_full_network_access() {
+    if !network_sandbox_policy.is_enabled() {
        cmd.env(CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR, "1");
    }

--- a/codex-rs/core/src/tasks/user_shell.rs
+++ b/codex-rs/core/src/tasks/user_shell.rs
@@ -22,6 +22,8 @@ use crate::protocol::ExecCommandBeginEvent;
 use crate::protocol::ExecCommandEndEvent;
 use crate::protocol::ExecCommandSource;
 use crate::protocol::ExecCommandStatus;
+use crate::protocol::FileSystemSandboxPolicy;
+use crate::protocol::NetworkSandboxPolicy;
 use crate::protocol::SandboxPolicy;
 use crate::protocol::TurnStartedEvent;
 use crate::sandboxing::ExecRequest;
@@ -167,6 +169,8 @@ pub(crate) async fn execute_user_shell_command(
        windows_sandbox_level: turn_context.windows_sandbox_level,
        sandbox_permissions: SandboxPermissions::UseDefault,
        sandbox_policy: sandbox_policy.clone(),
+        file_system_sandbox_policy: FileSystemSandboxPolicy::from(&sandbox_policy),
+        network_sandbox_policy: NetworkSandboxPolicy::from(&sandbox_policy),
        justification: None,
        arg0: None,
    };
--- a/codex-rs/core/src/tools/js_repl/mod.rs
+++ b/codex-rs/core/src/tools/js_repl/mod.rs
@@ -852,7 +852,8 @@ impl JsReplManager {
            .network
            .is_some();
        let sandbox_type = sandbox.select_initial(
-            &turn.sandbox_policy,
+            &turn.file_system_sandbox_policy,
+            turn.network_sandbox_policy,
            SandboxablePreference::Auto,
            turn.windows_sandbox_level,
            has_managed_network_requirements,
@@ -861,6 +862,8 @@ impl JsReplManager {
            .transform(crate::sandboxing::SandboxTransformRequest {
                spec,
                policy: &turn.sandbox_policy,
+                file_system_policy: &turn.file_system_sandbox_policy,
+                network_policy: turn.network_sandbox_policy,
                sandbox: sandbox_type,
                enforce_managed_network: has_managed_network_requirements,
                network: None,
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -169,7 +169,8 @@ impl ToolOrchestrator {
        let initial_sandbox = match tool.sandbox_mode_for_first_attempt(req) {
            SandboxOverride::BypassSandboxFirstAttempt => crate::exec::SandboxType::None,
            SandboxOverride::NoOverride => self.sandbox.select_initial(
-                &turn_ctx.sandbox_policy,
+                &turn_ctx.file_system_sandbox_policy,
+                turn_ctx.network_sandbox_policy,
                tool.sandbox_preference(),
                turn_ctx.windows_sandbox_level,
                has_managed_network_requirements,
@@ -182,6 +183,8 @@ impl ToolOrchestrator {
        let initial_attempt = SandboxAttempt {
            sandbox: initial_sandbox,
            policy: &turn_ctx.sandbox_policy,
+            file_system_policy: &turn_ctx.file_system_sandbox_policy,
+            network_policy: turn_ctx.network_sandbox_policy,
            enforce_managed_network: has_managed_network_requirements,
            manager: &self.sandbox,
            sandbox_cwd: &turn_ctx.cwd,
@@ -296,6 +299,8 @@ impl ToolOrchestrator {
                let escalated_attempt = SandboxAttempt {
                    sandbox: crate::exec::SandboxType::None,
                    policy: &turn_ctx.sandbox_policy,
+                    file_system_policy: &turn_ctx.file_system_sandbox_policy,
+                    network_policy: turn_ctx.network_sandbox_policy,
                    enforce_managed_network: has_managed_network_requirements,
                    manager: &self.sandbox,
                    sandbox_cwd: &turn_ctx.cwd,
--- a/codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs
+++ b/codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs
@@ -25,7 +25,9 @@ use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::models::MacOsSeatbeltProfileExtensions;
 use codex_protocol::models::PermissionProfile;
 use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::FileSystemSandboxPolicy;
 use codex_protocol::protocol::NetworkPolicyRuleAction;
+use codex_protocol::protocol::NetworkSandboxPolicy;
 use codex_protocol::protocol::RejectConfig;
 use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::SandboxPolicy;
@@ -98,6 +100,8 @@ pub(super) async fn try_run_zsh_fork(
        windows_sandbox_level,
        sandbox_permissions,
        sandbox_policy,
+        file_system_sandbox_policy,
+        network_sandbox_policy,
        justification,
        arg0,
    } = sandbox_exec_request;
@@ -113,6 +117,8 @@ pub(super) async fn try_run_zsh_fork(
        command,
        cwd: sandbox_cwd,
        sandbox_policy,
+        file_system_sandbox_policy,
+        network_sandbox_policy,
        sandbox,
        env: sandbox_env,
        network: sandbox_network,
@@ -220,6 +226,8 @@ pub(crate) async fn prepare_unified_exec_zsh_fork(
        command: exec_request.command.clone(),
        cwd: exec_request.cwd.clone(),
        sandbox_policy: exec_request.sandbox_policy.clone(),
+        file_system_sandbox_policy: exec_request.file_system_sandbox_policy.clone(),
+        network_sandbox_policy: exec_request.network_sandbox_policy,
        sandbox: exec_request.sandbox,
        env: exec_request.env.clone(),
        network: exec_request.network.clone(),
@@ -728,6 +736,8 @@ struct CoreShellCommandExecutor {
    command: Vec<String>,
    cwd: PathBuf,
    sandbox_policy: SandboxPolicy,
+    file_system_sandbox_policy: FileSystemSandboxPolicy,
+    network_sandbox_policy: NetworkSandboxPolicy,
    sandbox: SandboxType,
    env: HashMap<String, String>,
    network: Option<codex_network_proxy::NetworkProxy>,
@@ -747,6 +757,8 @@ struct PrepareSandboxedExecParams<'a> {
    workdir: &'a AbsolutePathBuf,
    env: HashMap<String, String>,
    sandbox_policy: &'a SandboxPolicy,
+    file_system_sandbox_policy: &'a FileSystemSandboxPolicy,
+    network_sandbox_policy: NetworkSandboxPolicy,
    additional_permissions: Option<PermissionProfile>,
    #[cfg(target_os = "macos")]
    macos_seatbelt_profile_extensions: Option<&'a MacOsSeatbeltProfileExtensions>,
@@ -782,6 +794,8 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
                windows_sandbox_level: self.windows_sandbox_level,
                sandbox_permissions: self.sandbox_permissions,
                sandbox_policy: self.sandbox_policy.clone(),
+                file_system_sandbox_policy: self.file_system_sandbox_policy.clone(),
+                network_sandbox_policy: self.network_sandbox_policy,
                justification: self.justification.clone(),
                arg0: self.arg0.clone(),
            },
@@ -828,6 +842,8 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
                    workdir,
                    env,
                    sandbox_policy: &self.sandbox_policy,
+                    file_system_sandbox_policy: &self.file_system_sandbox_policy,
+                    network_sandbox_policy: self.network_sandbox_policy,
                    additional_permissions: None,
                    #[cfg(target_os = "macos")]
                    macos_seatbelt_profile_extensions: self
@@ -845,6 +861,8 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
                    workdir,
                    env,
                    sandbox_policy: &self.sandbox_policy,
+                    file_system_sandbox_policy: &self.file_system_sandbox_policy,
+                    network_sandbox_policy: self.network_sandbox_policy,
                    additional_permissions: Some(permission_profile),
                    #[cfg(target_os = "macos")]
                    macos_seatbelt_profile_extensions: self
@@ -854,11 +872,17 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
            }
            EscalationExecution::Permissions(EscalationPermissions::Permissions(permissions)) => {
                // Use a fully specified sandbox policy instead of merging into the turn policy.
+                let file_system_sandbox_policy =
+                    FileSystemSandboxPolicy::from(&permissions.sandbox_policy);
+                let network_sandbox_policy =
+                    NetworkSandboxPolicy::from(&permissions.sandbox_policy);
                self.prepare_sandboxed_exec(PrepareSandboxedExecParams {
                    command,
                    workdir,
                    env,
                    sandbox_policy: &permissions.sandbox_policy,
+                    file_system_sandbox_policy: &file_system_sandbox_policy,
+                    network_sandbox_policy,
                    additional_permissions: None,
                    #[cfg(target_os = "macos")]
                    macos_seatbelt_profile_extensions: permissions
@@ -873,6 +897,7 @@ impl ShellCommandExecutor for CoreShellCommandExecutor {
 }

 impl CoreShellCommandExecutor {
+    #[allow(clippy::too_many_arguments)]
    fn prepare_sandboxed_exec(
        &self,
        params: PrepareSandboxedExecParams<'_>,
@@ -882,6 +907,8 @@ impl CoreShellCommandExecutor {
            workdir,
            env,
            sandbox_policy,
+            file_system_sandbox_policy,
+            network_sandbox_policy,
            additional_permissions,
            #[cfg(target_os = "macos")]
            macos_seatbelt_profile_extensions,
@@ -891,7 +918,8 @@ impl CoreShellCommandExecutor {
            .ok_or_else(|| anyhow::anyhow!("prepared command must not be empty"))?;
        let sandbox_manager = crate::sandboxing::SandboxManager::new();
        let sandbox = sandbox_manager.select_initial(
-            sandbox_policy,
+            file_system_sandbox_policy,
+            network_sandbox_policy,
            SandboxablePreference::Auto,
            self.windows_sandbox_level,
            self.network.is_some(),
@@ -913,6 +941,8 @@ impl CoreShellCommandExecutor {
                    justification: self.justification.clone(),
                },
                policy: sandbox_policy,
+                file_system_policy: file_system_sandbox_policy,
+                network_policy: network_sandbox_policy,
                sandbox,
                enforce_managed_network: self.network.is_some(),
                network: self.network.as_ref(),
--- a/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
+++ b/codex-rs/core/src/tools/runtimes/shell/unix_escalation_tests.rs
@@ -474,6 +474,10 @@ async fn prepare_escalated_exec_turn_default_preserves_macos_seatbelt_extensions
        network: None,
        sandbox: SandboxType::None,
        sandbox_policy: SandboxPolicy::new_read_only_policy(),
+        file_system_sandbox_policy: FileSystemSandboxPolicy::from(
+            &SandboxPolicy::new_read_only_policy(),
+        ),
+        network_sandbox_policy: NetworkSandboxPolicy::Restricted,
        windows_sandbox_level: WindowsSandboxLevel::Disabled,
        sandbox_permissions: SandboxPermissions::UseDefault,
        justification: None,
@@ -524,6 +528,8 @@ async fn prepare_escalated_exec_permissions_preserve_macos_seatbelt_extensions()
        network: None,
        sandbox: SandboxType::None,
        sandbox_policy: SandboxPolicy::DangerFullAccess,
+        file_system_sandbox_policy: FileSystemSandboxPolicy::from(&SandboxPolicy::DangerFullAccess),
+        network_sandbox_policy: NetworkSandboxPolicy::Enabled,
        windows_sandbox_level: WindowsSandboxLevel::Disabled,
        sandbox_permissions: SandboxPermissions::UseDefault,
        justification: None,
@@ -537,6 +543,10 @@ async fn prepare_escalated_exec_permissions_preserve_macos_seatbelt_extensions()
    let permissions = Permissions {
        approval_policy: Constrained::allow_any(AskForApproval::Never),
        sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+        file_system_sandbox_policy: codex_protocol::permissions::FileSystemSandboxPolicy::from(
+            &SandboxPolicy::new_read_only_policy(),
+        ),
+        network_sandbox_policy: codex_protocol::permissions::NetworkSandboxPolicy::Restricted,
        network: None,
        allow_login_shell: true,
        shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -584,13 +594,16 @@ async fn prepare_escalated_exec_permissions_preserve_macos_seatbelt_extensions()
 #[tokio::test]
 async fn prepare_escalated_exec_permission_profile_unions_turn_and_requested_macos_extensions() {
    let cwd = AbsolutePathBuf::from_absolute_path(std::env::temp_dir()).unwrap();
+    let sandbox_policy = SandboxPolicy::new_read_only_policy();
    let executor = CoreShellCommandExecutor {
        command: vec!["echo".to_string(), "ok".to_string()],
        cwd: cwd.to_path_buf(),
        env: HashMap::new(),
        network: None,
        sandbox: SandboxType::None,
-        sandbox_policy: SandboxPolicy::new_read_only_policy(),
+        sandbox_policy: sandbox_policy.clone(),
+        file_system_sandbox_policy: FileSystemSandboxPolicy::from(&sandbox_policy),
+        network_sandbox_policy: NetworkSandboxPolicy::from(&sandbox_policy),
        windows_sandbox_level: WindowsSandboxLevel::Disabled,
        sandbox_permissions: SandboxPermissions::UseDefault,
        justification: None,
--- a/codex-rs/core/src/tools/sandboxing.rs
+++ b/codex-rs/core/src/tools/sandboxing.rs
@@ -7,6 +7,8 @@
 use crate::codex::Session;
 use crate::codex::TurnContext;
 use crate::error::CodexErr;
+use crate::protocol::FileSystemSandboxPolicy;
+use crate::protocol::NetworkSandboxPolicy;
 use crate::protocol::SandboxPolicy;
 use crate::sandboxing::CommandSpec;
 use crate::sandboxing::SandboxManager;
@@ -318,6 +320,8 @@ pub(crate) trait ToolRuntime<Req, Out>: Approvable<Req> + Sandboxable {
 pub(crate) struct SandboxAttempt<'a> {
    pub sandbox: crate::exec::SandboxType,
    pub policy: &'a crate::protocol::SandboxPolicy,
+    pub file_system_policy: &'a FileSystemSandboxPolicy,
+    pub network_policy: NetworkSandboxPolicy,
    pub enforce_managed_network: bool,
    pub(crate) manager: &'a SandboxManager,
    pub(crate) sandbox_cwd: &'a Path,
@@ -336,6 +340,8 @@ impl<'a> SandboxAttempt<'a> {
            .transform(crate::sandboxing::SandboxTransformRequest {
                spec,
                policy: self.policy,
+                file_system_policy: self.file_system_policy,
+                network_policy: self.network_policy,
                sandbox: self.sandbox,
                enforce_managed_network: self.enforce_managed_network,
                network,
--- a/codex-rs/core/src/unified_exec/mod.rs
+++ b/codex-rs/core/src/unified_exec/mod.rs
@@ -205,6 +205,10 @@ mod tests {
        turn.sandbox_policy
            .set(SandboxPolicy::DangerFullAccess)
            .expect("test setup should allow updating sandbox policy");
+        turn.file_system_sandbox_policy =
+            crate::protocol::FileSystemSandboxPolicy::from(turn.sandbox_policy.get());
+        turn.network_sandbox_policy =
+            crate::protocol::NetworkSandboxPolicy::from(turn.sandbox_policy.get());
        (Arc::new(session), Arc::new(turn))
    }

--- a/codex-rs/core/tests/suite/approvals.rs
+++ b/codex-rs/core/tests/suite/approvals.rs
@@ -2234,7 +2234,7 @@ async fn denying_network_policy_amendment_persists_policy_and_skips_future_netwo
    let home = Arc::new(TempDir::new()?);
    fs::write(
        home.path().join("config.toml"),
-        r#"[permissions.network]
+        r#"[network]
 enabled = true
 mode = "limited"
 allow_local_binding = true
--- a/codex-rs/core/tests/suite/exec.rs
+++ b/codex-rs/core/tests/suite/exec.rs
@@ -10,6 +10,8 @@ use codex_core::exec::process_exec_tool_call;
 use codex_core::sandboxing::SandboxPermissions;
 use codex_core::spawn::CODEX_SANDBOX_ENV_VAR;
 use codex_protocol::config_types::WindowsSandboxLevel;
+use codex_protocol::protocol::FileSystemSandboxPolicy;
+use codex_protocol::protocol::NetworkSandboxPolicy;
 use codex_protocol::protocol::SandboxPolicy;
 use tempfile::TempDir;

@@ -45,7 +47,17 @@ async fn run_test_cmd(tmp: TempDir, cmd: Vec<&str>) -> Result<ExecToolCallOutput

    let policy = SandboxPolicy::new_read_only_policy();

-    process_exec_tool_call(params, &policy, tmp.path(), &None, false, None).await
+    process_exec_tool_call(
+        params,
+        &policy,
+        &FileSystemSandboxPolicy::from(&policy),
+        NetworkSandboxPolicy::from(&policy),
+        tmp.path(),
+        &None,
+        false,
+        None,
+    )
+    .await
 }

 /// Command succeeds with exit code 0 normally
--- a/codex-rs/core/tests/suite/user_shell_cmd.rs
+++ b/codex-rs/core/tests/suite/user_shell_cmd.rs
@@ -5,6 +5,7 @@ use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::ExecCommandEndEvent;
 use codex_protocol::protocol::ExecCommandSource;
 use codex_protocol::protocol::ExecOutputStream;
+use codex_protocol::protocol::NetworkSandboxPolicy;
 use codex_protocol::protocol::Op;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnAbortReason;
@@ -23,6 +24,7 @@ use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_match;
 use core_test_support::wait_for_event_with_timeout;
+use pretty_assertions::assert_eq;
 use regex_lite::escape;
 use std::path::PathBuf;
 use tempfile::TempDir;
@@ -328,6 +330,35 @@ async fn user_shell_command_history_is_persisted_and_shared_with_model() -> anyh
    Ok(())
 }

+#[tokio::test]
+async fn user_shell_command_does_not_set_network_sandbox_env_var() -> anyhow::Result<()> {
+    let server = responses::start_mock_server().await;
+    let mut builder = core_test_support::test_codex::test_codex().with_config(|config| {
+        config.permissions.network_sandbox_policy = NetworkSandboxPolicy::Restricted;
+    });
+    let test = builder.build(&server).await?;
+
+    #[cfg(windows)]
+    let command = r#"$val = $env:CODEX_SANDBOX_NETWORK_DISABLED; if ([string]::IsNullOrEmpty($val)) { $val = 'not-set' } ; [System.Console]::Write($val)"#.to_string();
+    #[cfg(not(windows))]
+    let command =
+        r#"sh -c "printf '%s' \"${CODEX_SANDBOX_NETWORK_DISABLED:-not-set}\"""#.to_string();
+
+    test.codex
+        .submit(Op::RunUserShellCommand { command })
+        .await?;
+
+    let end_event = wait_for_event_match(&test.codex, |ev| match ev {
+        EventMsg::ExecCommandEnd(event) => Some(event.clone()),
+        _ => None,
+    })
+    .await;
+    assert_eq!(end_event.exit_code, 0);
+    assert_eq!(end_event.stdout.trim(), "not-set");
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 #[cfg(not(target_os = "windows"))] // TODO: unignore on windows
 async fn user_shell_command_output_is_truncated_in_history() -> anyhow::Result<()> {
--- a/codex-rs/linux-sandbox/tests/suite/landlock.rs
+++ b/codex-rs/linux-sandbox/tests/suite/landlock.rs
@@ -9,6 +9,8 @@ use codex_core::exec::process_exec_tool_call;
 use codex_core::exec_env::create_env;
 use codex_core::sandboxing::SandboxPermissions;
 use codex_protocol::config_types::WindowsSandboxLevel;
+use codex_protocol::protocol::FileSystemSandboxPolicy;
+use codex_protocol::protocol::NetworkSandboxPolicy;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use pretty_assertions::assert_eq;
@@ -102,6 +104,8 @@ async fn run_cmd_result_with_writable_roots(
    process_exec_tool_call(
        params,
        &sandbox_policy,
+        &FileSystemSandboxPolicy::from(&sandbox_policy),
+        NetworkSandboxPolicy::from(&sandbox_policy),
        sandbox_cwd.as_path(),
        &codex_linux_sandbox_exe,
        use_bwrap_sandbox,
@@ -333,6 +337,8 @@ async fn assert_network_blocked(cmd: &[&str]) {
    let result = process_exec_tool_call(
        params,
        &sandbox_policy,
+        &FileSystemSandboxPolicy::from(&sandbox_policy),
+        NetworkSandboxPolicy::from(&sandbox_policy),
        sandbox_cwd.as_path(),
        &codex_linux_sandbox_exe,
        false,
--- a/codex-rs/protocol/src/lib.rs
+++ b/codex-rs/protocol/src/lib.rs
@@ -12,6 +12,7 @@ pub mod models;
 pub mod num_format;
 pub mod openai_models;
 pub mod parse_command;
+pub mod permissions;
 pub mod plan_tool;
 pub mod protocol;
 pub mod request_user_input;
--- a/codex-rs/protocol/src/permissions.rs
+++ b/codex-rs/protocol/src/permissions.rs
@@ -0,0 +1,473 @@
+use std::collections::HashSet;
+use std::io;
+use std::path::Path;
+use std::path::PathBuf;
+
+use codex_utils_absolute_path::AbsolutePathBuf;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use strum_macros::Display;
+use ts_rs::TS;
+
+use crate::protocol::NetworkAccess;
+use crate::protocol::ReadOnlyAccess;
+use crate::protocol::SandboxPolicy;
+
+#[derive(
+    Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Display, Default, JsonSchema, TS,
+)]
+#[serde(rename_all = "kebab-case")]
+#[strum(serialize_all = "kebab-case")]
+pub enum NetworkSandboxPolicy {
+    #[default]
+    Restricted,
+    Enabled,
+}
+
+impl NetworkSandboxPolicy {
+    pub fn is_enabled(self) -> bool {
+        matches!(self, NetworkSandboxPolicy::Enabled)
+    }
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Display, JsonSchema, TS)]
+#[serde(rename_all = "lowercase")]
+#[strum(serialize_all = "lowercase")]
+pub enum FileSystemAccessMode {
+    None,
+    Read,
+    Write,
+}
+
+impl FileSystemAccessMode {
+    pub fn can_read(self) -> bool {
+        !matches!(self, FileSystemAccessMode::None)
+    }
+
+    pub fn can_write(self) -> bool {
+        matches!(self, FileSystemAccessMode::Write)
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema, TS)]
+#[serde(tag = "kind", rename_all = "snake_case")]
+#[ts(tag = "kind")]
+pub enum FileSystemSpecialPath {
+    Root,
+    Minimal,
+    CurrentWorkingDirectory,
+    ProjectRoots {
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        #[ts(optional)]
+        subpath: Option<PathBuf>,
+    },
+    Tmpdir,
+    SlashTmp,
+}
+
+impl FileSystemSpecialPath {
+    pub fn project_roots(subpath: Option<PathBuf>) -> Self {
+        Self::ProjectRoots { subpath }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema, TS)]
+pub struct FileSystemSandboxEntry {
+    pub path: FileSystemPath,
+    pub access: FileSystemAccessMode,
+}
+
+#[derive(
+    Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Display, Default, JsonSchema, TS,
+)]
+#[serde(rename_all = "kebab-case")]
+#[strum(serialize_all = "kebab-case")]
+pub enum FileSystemSandboxKind {
+    #[default]
+    Restricted,
+    Unrestricted,
+    ExternalSandbox,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema, TS)]
+pub struct FileSystemSandboxPolicy {
+    pub kind: FileSystemSandboxKind,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub entries: Vec<FileSystemSandboxEntry>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "snake_case")]
+#[ts(tag = "type")]
+pub enum FileSystemPath {
+    Path { path: AbsolutePathBuf },
+    Special { value: FileSystemSpecialPath },
+}
+
+impl Default for FileSystemSandboxPolicy {
+    fn default() -> Self {
+        Self {
+            kind: FileSystemSandboxKind::Restricted,
+            entries: vec![FileSystemSandboxEntry {
+                path: FileSystemPath::Special {
+                    value: FileSystemSpecialPath::Root,
+                },
+                access: FileSystemAccessMode::Read,
+            }],
+        }
+    }
+}
+
+impl FileSystemSandboxPolicy {
+    pub fn unrestricted() -> Self {
+        Self {
+            kind: FileSystemSandboxKind::Unrestricted,
+            entries: Vec::new(),
+        }
+    }
+
+    pub fn external_sandbox() -> Self {
+        Self {
+            kind: FileSystemSandboxKind::ExternalSandbox,
+            entries: Vec::new(),
+        }
+    }
+
+    pub fn restricted(entries: Vec<FileSystemSandboxEntry>) -> Self {
+        Self {
+            kind: FileSystemSandboxKind::Restricted,
+            entries,
+        }
+    }
+
+    pub fn to_legacy_sandbox_policy(
+        &self,
+        network_policy: NetworkSandboxPolicy,
+        cwd: &Path,
+    ) -> io::Result<SandboxPolicy> {
+        Ok(match self.kind {
+            FileSystemSandboxKind::ExternalSandbox => SandboxPolicy::ExternalSandbox {
+                network_access: if network_policy.is_enabled() {
+                    NetworkAccess::Enabled
+                } else {
+                    NetworkAccess::Restricted
+                },
+            },
+            FileSystemSandboxKind::Unrestricted => {
+                if network_policy.is_enabled() {
+                    SandboxPolicy::DangerFullAccess
+                } else {
+                    SandboxPolicy::ExternalSandbox {
+                        network_access: NetworkAccess::Restricted,
+                    }
+                }
+            }
+            FileSystemSandboxKind::Restricted => {
+                let cwd_absolute = AbsolutePathBuf::from_absolute_path(cwd).ok();
+                let mut include_platform_defaults = false;
+                let mut has_full_disk_read_access = false;
+                let mut has_full_disk_write_access = false;
+                let mut workspace_root_writable = false;
+                let mut writable_roots = Vec::new();
+                let mut readable_roots = Vec::new();
+                let mut tmpdir_writable = false;
+                let mut slash_tmp_writable = false;
+
+                for entry in &self.entries {
+                    match &entry.path {
+                        FileSystemPath::Path { path } => {
+                            if entry.access.can_write() {
+                                if cwd_absolute.as_ref().is_some_and(|cwd| cwd == path) {
+                                    workspace_root_writable = true;
+                                } else {
+                                    writable_roots.push(path.clone());
+                                }
+                            } else if entry.access.can_read() {
+                                readable_roots.push(path.clone());
+                            }
+                        }
+                        FileSystemPath::Special { value } => match value {
+                            FileSystemSpecialPath::Root => match entry.access {
+                                FileSystemAccessMode::None => {}
+                                FileSystemAccessMode::Read => has_full_disk_read_access = true,
+                                FileSystemAccessMode::Write => {
+                                    has_full_disk_read_access = true;
+                                    has_full_disk_write_access = true;
+                                }
+                            },
+                            FileSystemSpecialPath::Minimal => {
+                                if entry.access.can_read() {
+                                    include_platform_defaults = true;
+                                }
+                            }
+                            FileSystemSpecialPath::CurrentWorkingDirectory => {
+                                if entry.access.can_write() {
+                                    workspace_root_writable = true;
+                                } else if entry.access.can_read()
+                                    && let Some(path) = resolve_file_system_special_path(
+                                        value,
+                                        cwd_absolute.as_ref(),
+                                    )
+                                {
+                                    readable_roots.push(path);
+                                }
+                            }
+                            FileSystemSpecialPath::ProjectRoots { subpath } => {
+                                if subpath.is_none() && entry.access.can_write() {
+                                    workspace_root_writable = true;
+                                } else if let Some(path) =
+                                    resolve_file_system_special_path(value, cwd_absolute.as_ref())
+                                {
+                                    if entry.access.can_write() {
+                                        writable_roots.push(path);
+                                    } else if entry.access.can_read() {
+                                        readable_roots.push(path);
+                                    }
+                                }
+                            }
+                            FileSystemSpecialPath::Tmpdir => {
+                                if entry.access.can_write() {
+                                    tmpdir_writable = true;
+                                } else if entry.access.can_read()
+                                    && let Some(path) = resolve_file_system_special_path(
+                                        value,
+                                        cwd_absolute.as_ref(),
+                                    )
+                                {
+                                    readable_roots.push(path);
+                                }
+                            }
+                            FileSystemSpecialPath::SlashTmp => {
+                                if entry.access.can_write() {
+                                    slash_tmp_writable = true;
+                                } else if entry.access.can_read()
+                                    && let Some(path) = resolve_file_system_special_path(
+                                        value,
+                                        cwd_absolute.as_ref(),
+                                    )
+                                {
+                                    readable_roots.push(path);
+                                }
+                            }
+                        },
+                    }
+                }
+
+                if has_full_disk_write_access {
+                    return Ok(if network_policy.is_enabled() {
+                        SandboxPolicy::DangerFullAccess
+                    } else {
+                        SandboxPolicy::ExternalSandbox {
+                            network_access: NetworkAccess::Restricted,
+                        }
+                    });
+                }
+
+                let read_only_access = if has_full_disk_read_access {
+                    ReadOnlyAccess::FullAccess
+                } else {
+                    ReadOnlyAccess::Restricted {
+                        include_platform_defaults,
+                        readable_roots: dedup_absolute_paths(readable_roots),
+                    }
+                };
+
+                if workspace_root_writable {
+                    SandboxPolicy::WorkspaceWrite {
+                        writable_roots: dedup_absolute_paths(writable_roots),
+                        read_only_access,
+                        network_access: network_policy.is_enabled(),
+                        exclude_tmpdir_env_var: !tmpdir_writable,
+                        exclude_slash_tmp: !slash_tmp_writable,
+                    }
+                } else if !writable_roots.is_empty() || tmpdir_writable || slash_tmp_writable {
+                    return Err(io::Error::new(
+                        io::ErrorKind::InvalidInput,
+                        "permissions profile requests filesystem writes outside the workspace root, which is not supported until the runtime enforces FileSystemSandboxPolicy directly",
+                    ));
+                } else {
+                    SandboxPolicy::ReadOnly {
+                        access: read_only_access,
+                        network_access: network_policy.is_enabled(),
+                    }
+                }
+            }
+        })
+    }
+}
+
+impl From<&SandboxPolicy> for NetworkSandboxPolicy {
+    fn from(value: &SandboxPolicy) -> Self {
+        if value.has_full_network_access() {
+            NetworkSandboxPolicy::Enabled
+        } else {
+            NetworkSandboxPolicy::Restricted
+        }
+    }
+}
+
+impl From<&SandboxPolicy> for FileSystemSandboxPolicy {
+    fn from(value: &SandboxPolicy) -> Self {
+        match value {
+            SandboxPolicy::DangerFullAccess => FileSystemSandboxPolicy::unrestricted(),
+            SandboxPolicy::ExternalSandbox { .. } => FileSystemSandboxPolicy::external_sandbox(),
+            SandboxPolicy::ReadOnly { access, .. } => {
+                let mut entries = Vec::new();
+                match access {
+                    ReadOnlyAccess::FullAccess => entries.push(FileSystemSandboxEntry {
+                        path: FileSystemPath::Special {
+                            value: FileSystemSpecialPath::Root,
+                        },
+                        access: FileSystemAccessMode::Read,
+                    }),
+                    ReadOnlyAccess::Restricted {
+                        include_platform_defaults,
+                        readable_roots,
+                    } => {
+                        entries.push(FileSystemSandboxEntry {
+                            path: FileSystemPath::Special {
+                                value: FileSystemSpecialPath::CurrentWorkingDirectory,
+                            },
+                            access: FileSystemAccessMode::Read,
+                        });
+                        if *include_platform_defaults {
+                            entries.push(FileSystemSandboxEntry {
+                                path: FileSystemPath::Special {
+                                    value: FileSystemSpecialPath::Minimal,
+                                },
+                                access: FileSystemAccessMode::Read,
+                            });
+                        }
+                        entries.extend(readable_roots.iter().cloned().map(|path| {
+                            FileSystemSandboxEntry {
+                                path: FileSystemPath::Path { path },
+                                access: FileSystemAccessMode::Read,
+                            }
+                        }));
+                    }
+                }
+                FileSystemSandboxPolicy::restricted(entries)
+            }
+            SandboxPolicy::WorkspaceWrite {
+                writable_roots,
+                read_only_access,
+                exclude_tmpdir_env_var,
+                exclude_slash_tmp,
+                ..
+            } => {
+                let mut entries = Vec::new();
+                match read_only_access {
+                    ReadOnlyAccess::FullAccess => entries.push(FileSystemSandboxEntry {
+                        path: FileSystemPath::Special {
+                            value: FileSystemSpecialPath::Root,
+                        },
+                        access: FileSystemAccessMode::Read,
+                    }),
+                    ReadOnlyAccess::Restricted {
+                        include_platform_defaults,
+                        readable_roots,
+                    } => {
+                        if *include_platform_defaults {
+                            entries.push(FileSystemSandboxEntry {
+                                path: FileSystemPath::Special {
+                                    value: FileSystemSpecialPath::Minimal,
+                                },
+                                access: FileSystemAccessMode::Read,
+                            });
+                        }
+                        entries.extend(readable_roots.iter().cloned().map(|path| {
+                            FileSystemSandboxEntry {
+                                path: FileSystemPath::Path { path },
+                                access: FileSystemAccessMode::Read,
+                            }
+                        }));
+                    }
+                }
+
+                entries.push(FileSystemSandboxEntry {
+                    path: FileSystemPath::Special {
+                        value: FileSystemSpecialPath::CurrentWorkingDirectory,
+                    },
+                    access: FileSystemAccessMode::Write,
+                });
+                if !exclude_slash_tmp {
+                    entries.push(FileSystemSandboxEntry {
+                        path: FileSystemPath::Special {
+                            value: FileSystemSpecialPath::SlashTmp,
+                        },
+                        access: FileSystemAccessMode::Write,
+                    });
+                }
+                if !exclude_tmpdir_env_var {
+                    entries.push(FileSystemSandboxEntry {
+                        path: FileSystemPath::Special {
+                            value: FileSystemSpecialPath::Tmpdir,
+                        },
+                        access: FileSystemAccessMode::Write,
+                    });
+                }
+                entries.extend(
+                    writable_roots
+                        .iter()
+                        .cloned()
+                        .map(|path| FileSystemSandboxEntry {
+                            path: FileSystemPath::Path { path },
+                            access: FileSystemAccessMode::Write,
+                        }),
+                );
+                FileSystemSandboxPolicy::restricted(entries)
+            }
+        }
+    }
+}
+
+fn resolve_file_system_special_path(
+    value: &FileSystemSpecialPath,
+    cwd: Option<&AbsolutePathBuf>,
+) -> Option<AbsolutePathBuf> {
+    match value {
+        FileSystemSpecialPath::Root | FileSystemSpecialPath::Minimal => None,
+        FileSystemSpecialPath::CurrentWorkingDirectory => {
+            let cwd = cwd?;
+            Some(cwd.clone())
+        }
+        FileSystemSpecialPath::ProjectRoots { subpath } => {
+            let cwd = cwd?;
+            match subpath.as_ref() {
+                Some(subpath) => {
+                    AbsolutePathBuf::resolve_path_against_base(subpath, cwd.as_path()).ok()
+                }
+                None => Some(cwd.clone()),
+            }
+        }
+        FileSystemSpecialPath::Tmpdir => {
+            let tmpdir = std::env::var_os("TMPDIR")?;
+            if tmpdir.is_empty() {
+                None
+            } else {
+                let tmpdir = AbsolutePathBuf::from_absolute_path(PathBuf::from(tmpdir)).ok()?;
+                Some(tmpdir)
+            }
+        }
+        FileSystemSpecialPath::SlashTmp => {
+            #[allow(clippy::expect_used)]
+            let slash_tmp = AbsolutePathBuf::from_absolute_path("/tmp").expect("/tmp is absolute");
+            if !slash_tmp.as_path().is_dir() {
+                return None;
+            }
+            Some(slash_tmp)
+        }
+    }
+}
+
+fn dedup_absolute_paths(paths: Vec<AbsolutePathBuf>) -> Vec<AbsolutePathBuf> {
+    let mut deduped = Vec::with_capacity(paths.len());
+    let mut seen = HashSet::new();
+    for path in paths {
+        if seen.insert(path.to_path_buf()) {
+            deduped.push(path);
+        }
+    }
+    deduped
+}
--- a/codex-rs/protocol/src/protocol.rs
+++ b/codex-rs/protocol/src/protocol.rs
@@ -3152,6 +3152,11 @@ mod tests {
    use crate::items::ImageGenerationItem;
    use crate::items::UserMessageItem;
    use crate::items::WebSearchItem;
+    use crate::permissions::FileSystemAccessMode;
+    use crate::permissions::FileSystemPath;
+    use crate::permissions::FileSystemSandboxEntry;
+    use crate::permissions::FileSystemSandboxPolicy;
+    use crate::permissions::NetworkSandboxPolicy;
    use anyhow::Result;
    use pretty_assertions::assert_eq;
    use serde_json::json;
@@ -3236,6 +3241,36 @@ mod tests {
        }
    }

+    #[test]
+    fn file_system_policy_rejects_legacy_bridge_for_non_workspace_writes() {
+        let cwd = if cfg!(windows) {
+            Path::new(r"C:\workspace")
+        } else {
+            Path::new("/tmp/workspace")
+        };
+        let external_write_path = if cfg!(windows) {
+            AbsolutePathBuf::from_absolute_path(r"C:\temp").expect("absolute windows temp path")
+        } else {
+            AbsolutePathBuf::from_absolute_path("/tmp").expect("absolute tmp path")
+        };
+        let policy = FileSystemSandboxPolicy::restricted(vec![FileSystemSandboxEntry {
+            path: FileSystemPath::Path {
+                path: external_write_path,
+            },
+            access: FileSystemAccessMode::Write,
+        }]);
+
+        let err = policy
+            .to_legacy_sandbox_policy(NetworkSandboxPolicy::Restricted, cwd)
+            .expect_err("non-workspace writes should be rejected");
+
+        assert!(
+            err.to_string()
+                .contains("filesystem writes outside the workspace root"),
+            "{err}"
+        );
+    }
+
    #[test]
    fn item_started_event_from_web_search_emits_begin_event() {
        let event = ItemStartedEvent {
Author	SHA1	Message	Date
Michael Bolin	45efe16881	sandboxing: plumb split sandbox policies through runtime	2026-03-06 14:41:46 -08:00
Michael Bolin	4ff802ef6b	config: add v3 filesystem permission profiles	2026-03-06 14:41:46 -08:00