Cannot call os.sysconf('SC_ARG_MAX') in sandbox mode #2486
Description
What version of Codex is running?
codex-cli 0.22.0
Which model were you using?
gpt-5
What platform is your computer?
Darwin 24.6.0 x86_64 i386
What steps can reproduce the bug?
The popular pre-commit calls os.sysconf('SC_ARG_MAX') at import initialization to determine the maximum number of bytes that can be passed to a subprocess.
This seems like a very innocuous call, but it is blocked by the sandbox. I can't think of a reason it would not be safe.
Can this call be whitelisted?
What is the expected behavior?
sysconf(_SC_ARG_MAX) is innocuous, and should be allowed. (The current value is 1048576, or 1 MiB, but this can change.)
What do you see instead?
codex
I’ll run pre-commit with --no-sync (no approvals). If it hits a sandbox cache path, I’ll retry with PRE_COMMIT_HOME=.cache/pre-commit.
✗ Failed (exit -1)
└ ⌨️ /usr/local/bin/uv run --no-sync pre-commit run -a
Traceback (most recent call last):
File "/Users/alex/GitHub/controlforge/.venv/bin/pre-commit", line 4, in <module>
from pre_commit.main import main
File "/Users/alex/GitHub/controlforge/.venv/lib/python3.13/site-packages/pre_commit/main.py", line 10, in <module>
from pre_commit import clientlib
… +8 lines
~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/Users/alex/GitHub/controlforge/.venv/lib/python3.13/site-packages/pre_commit/xargs.py", line 51, in
_get_platform_max_length
maximum = os.sysconf('SC_ARG_MAX') - 2048 - _environ_size()
~~~~~~~~~~^^^^^^^^^^^^^^
PermissionError: [Errno 1] Operation not permitted
Additional information
pre-commit is commonly used to run checks like linting, formatting, and testing, and AGENTS.md may instruct Codex to invoke it (directly, with uv run pre-commit, or some other way).