Sandbox blocks macOS SystemConfiguration API, crashing Rust-based CLI tools (Codex CLI)

Resolved 💬 4 comments Opened Apr 3, 2026 by BaseInfinity Closed May 31, 2026

Bug Description

Claude Code's macOS seatbelt sandbox blocks access to com.apple.SystemConfiguration.configd Mach service. This causes any child process that uses the Rust system-configuration crate (via SCDynamicStoreCreate) to panic with exit code 101.

This affects any Rust CLI using reqwest with the default system-proxy feature — which is the common case. Confirmed broken: OpenAI Codex CLI.

Reproduction

Environment: macOS Darwin 24.1.0 (Apple Silicon), Claude Code v2.1.90, Codex CLI v0.118.0

Test matrix (same machine, same directory, same command):

| # | Environment | Result | Exit Code |
|---|------------|--------|-----------|
| 1 | Terminal (no Claude Code) | SUCCESS | 0 |
| 2 | CC Bash tool (default sandbox) | CRASH: dynamic_store.rs:154 panic | 101 |
| 3 | CC Bash tool (dangerouslyDisableSandbox: true) | SUCCESS | 0 |

The only variable between Test 2 (crash) and Test 3 (success) is Claude Code's sandbox.

Test 2 output:

WARNING: proceeding, even though we could not update PATH: Operation not permitted (os error 1)

thread 'main' panicked at system-configuration-0.6.1/src/dynamic_store.rs:154:1:
Attempted to create a NULL object.
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Independent reproduction (no Claude Code, pure seatbelt):

# Deny ONLY configd mach-lookup -> crash
printf '(version 1) (allow default) (deny mach-lookup (global-name "com.apple.SystemConfiguration.configd"))' > /tmp/deny-configd.sb
sandbox-exec -f /tmp/deny-configd.sb codex exec -s danger-full-access "echo test"
# -> same panic, exit 101

# Deny network but allow configd -> works fine
printf '(version 1) (allow default) (deny network*)' > /tmp/deny-net.sb
sandbox-exec -f /tmp/deny-net.sb codex exec -s danger-full-access "echo test"
# -> success

Root Cause

  1. CC's seatbelt profile denies mach-lookup for com.apple.SystemConfiguration.configd
  2. Child process (Codex) uses reqwest with default system-proxy feature
  3. reqwest -> hyper-util -> SCDynamicStoreBuilder::new("").build()
  4. SCDynamicStoreCreateWithOptions() returns NULL because configd is blocked
  5. system-configuration crate v0.6.1 panics on NULL (no null check)

Impact

  • Any Rust CLI using reqwest with default features crashes inside Claude Code on macOS
  • Users integrating multiple AI coding tools (CC + Codex CLI for cross-model review) are blocked
  • Workaround exists but requires dangerouslyDisableSandbox: true on every invocation

Suggested Fix

Allow mach-lookup for com.apple.SystemConfiguration.configd in the seatbelt profile. This is a read-only system configuration query (proxy settings) — not a security-sensitive operation.

Workaround

Use dangerouslyDisableSandbox: true on the Bash tool call when running affected CLI tools. This bypasses CC's seatbelt for that invocation only.

Notes

  • The system-configuration crate has fixed the NULL panic in v0.7.0 (returns Option instead of panicking)
  • Complementary fix being submitted to Codex side: openai/codex#15640
  • The Codex fix makes it resilient; this fix makes CC's sandbox compatible with common Rust CLIs

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗