Setting --hostname sandbox inside the UTS namespace was purely cosmetic
(a label for interactive shells) and provided no isolation beyond what
--unshare-uts already gives. It also caused codex to hang for ~5s on
startup: glibc resolved the unknown "sandbox" name via systemd-resolved
and waited through two DNS retry timeouts before giving up.
Dropping the override lets the sandbox inherit the host's hostname,
which already resolves locally, eliminating the stall.
Whitelist mode now clears the parent env and re-adds a small allowlist
(identity, terminal, locale, proxy, non-GUI XDG, vendor prefixes).
Blacklist mode strips cloud credentials, backup passphrases, dangling
socket pointers, and anything matching *_TOKEN, *_SECRET, *_PASSWORD,
*_PASSPHRASE, *_API_KEY, *_PRIVATE_KEY, *_CLIENT_SECRET; vendor prefix
carve-outs keep ANTHROPIC_API_KEY and friends.
Users can override via --setenv KEY=VALUE and --unsetenv KEY (and the
corresponding TOML keys), or opt out of the built-in policy entirely
with --no-env-filter.
Derived from Podman's default profile, stripped of capability-conditional
rules (we never grant capabilities), argument filters, and the explicit
EPERM block. Dangerous syscalls (mount, unshare, ptrace, bpf,
perf_event_open, io_uring_*, keyctl, kexec_*, ...) fall through to the
default ENOSYS action, which also keeps glibc's clone3 -> clone fallback
working. x86_64 and aarch64 are supported; other archs error out.
Toggle with --seccomp / --no-seccomp or seccomp = <bool> in config.
Pair --hardened, --dry-run, and --unshare-net (renamed from --no-net)
with negation counterparts so a CLI invocation can override a truthy
config-file or profile value.
mrtoth