FireJail Profile for OpenCode

This repository contains a FireJail security profile for running OpenCode in a sandboxed environment, providing additional security isolation.

Prerequisites

• FireJail must be installed on your system
• OpenCode should be installed

Setup Instructions

1. Copy the FireJail Profile

Copy the opencode.profile file to your FireJail configuration directory:

# Create the firejail config directory if it doesn't exist
mkdir -p ~/.config/firejail

# Copy the profile
cp opencode.profile ~/.config/firejail/opencode.profile

2. Create Shell Alias

You need to create an alias in your shell startup script to use the FireJail profile with OpenCode. The setup depends on your shell:

For Zsh Users (~/.zshrc)

Add this line to your ~/.zshrc file:

# Add FireJail alias for OpenCode
echo 'alias opencode="firejail --profile=opencode --whitelist=/path/to/your/workspace opencode"' >> ~/.zshrc

# Reload your shell configuration
source ~/.zshrc

For Bash Users (~/.bashrc)

Add this line to your ~/.bashrc file:

# Add FireJail alias for OpenCode
echo 'alias opencode="firejail --profile=opencode --whitelist=/path/to/your/workspace opencode"' >> ~/.bashrc

# Reload your shell configuration
source ~/.bashrc

For Fish Users (~/.config/fish/config.fish)

Add this line to your ~/.config/fish/config.fish file:

# Add FireJail alias for OpenCode
echo 'alias opencode="firejail --profile=opencode --whitelist=/path/to/your/workspace opencode"' >> ~/.config/fish/config.fish

# Reload your shell configuration
source ~/.config/fish/config.fish

3. Customize Workspace Path

Important: Replace /path/to/your/workspace in the alias with the actual path where your code projects are stored. For example:

# Example for a typical workspace in home directory
alias opencode="firejail --profile=opencode --whitelist=$HOME/workspace opencode"

# Example for multiple workspace directories
alias opencode="firejail --profile=opencode --whitelist=$HOME/projects --whitelist=$HOME/workspace opencode"

4. Verification

To verify the setup is working correctly:

1. Open a new terminal session
2. Run: opencode --version
3. The command should execute within the FireJail sandbox

You can verify FireJail is active by checking the process:

ps aux | grep firejail

Security Features

This FireJail profile provides:

• Capability dropping: Removes all Linux capabilities
• Network filtering: Controls network access
• Filesystem isolation: Only allows access to whitelisted directories
• Disabled subsystems: Blocks access to DVD, sound, TV, video, and input devices
• Seccomp filtering: Restricts system calls

Customization

You can modify the opencode.profile to:

• Add more whitelisted directories with whitelist /path/to/directory
• Allow network access by removing the netfilter line
• Enable sound/video if needed by removing the corresponding no* directives

Troubleshooting

If you encounter issues:

1. Check that FireJail is properly installed: firejail --version
2. Verify the profile is in the correct location: ls -la ~/.config/firejail/opencode.profile
3. Test the profile manually: firejail --profile=opencode --whitelist=$HOME/workspace opencode --version

For more advanced configuration, refer to the FireJail documentation.