{"id":50043176,"url":"https://github.com/fityannugroho/opencodebox","last_synced_at":"2026-05-21T04:08:31.082Z","repository":{"id":355149902,"uuid":"1226976967","full_name":"fityannugroho/opencodebox","owner":"fityannugroho","description":"Just OpenCode, but runs in an isolated sandbox. Powered with bubblewrap.","archived":false,"fork":false,"pushed_at":"2026-05-10T05:01:43.000Z","size":85,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-10T07:09:02.487Z","etag":null,"topics":["bubblewrap","opencode","sandbox"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fityannugroho.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["fityannugroho"],"patreon":null,"open_collective":null,"ko_fi":"fityannugroho","tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":["https://trakteer.id/fityannugroho/tip","https://saweria.co/fityannugroho"]}},"created_at":"2026-05-02T03:41:59.000Z","updated_at":"2026-05-10T05:01:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fityannugroho/opencodebox","commit_stats":null,"previous_names":["fityannugroho/opencodebox"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fityannugroho/opencodebox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fityannugroho%2Fopencodebox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fityannugroho%2Fopencodebox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fityannugroho%2Fopencodebox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fityannugroho%2Fopencodebox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fityannugroho","download_url":"https://codeload.github.com/fityannugroho/opencodebox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fityannugroho%2Fopencodebox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33288227,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-21T02:57:32.698Z","status":"ssl_error","status_checked_at":"2026-05-21T02:57:31.990Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bubblewrap","opencode","sandbox"],"created_at":"2026-05-21T04:08:30.388Z","updated_at":"2026-05-21T04:08:31.076Z","avatar_url":"https://github.com/fityannugroho.png","language":"Shell","funding_links":["https://github.com/sponsors/fityannugroho","https://ko-fi.com/fityannugroho","https://trakteer.id/fityannugroho/tip","https://saweria.co/fityannugroho"],"categories":[],"sub_categories":[],"readme":"# opencodebox\n\nRun OpenCode inside a bubblewrap sandbox for security isolation.\n\n`opencodebox` is a bash script that runs [OpenCode](https://opencode.ai) (AI coding assistant) inside a sandbox using [bubblewrap](https://github.com/containers/bubblewrap). The sandbox provides process isolation with Linux namespaces (PID, IPC, UTS) and restricted filesystem access.\n\n## Features\n\n- **Process Isolation**: Uses unshare PID, IPC, and UTS namespaces\n- **Controlled Filesystem**: Most system filesystem mounted read-only\n- **Custom Bind Mounts**: Add read-write or read-only access with `--with` and `--with-ro`\n- **Mise Support**: Integrated with [mise](https://mise.jdx.dev) for tool management\n- **SSH Agent Forwarding**: Supports SSH commit signing through the host `ssh-agent`\n- **Seccomp Sandbox Filter**: Mitigates kernel privilege escalation vulnerabilities (see [details](#seccomp-sandbox-filter))\n\n## Prerequisites\n\n- [**bubblewrap** (`bwrap`)](https://github.com/containers/bubblewrap) - for sandboxing\n- [**opencode**](https://opencode.ai) - AI coding assistant\n\n\u003e **Security Note (CVE-2017-5226):** Bubblewrap sandbox can be escaped via `TIOCSTI` ioctl if the kernel allows it. Since Linux 6.2, `TIOCSTI` is restricted when `dev.tty.legacy_tiocsti=0` (default). On older kernels, ensure bubblewrap \u003e= 0.1.5 (uses `setsid()` fix) or enable seccomp filtering. The `install.sh` script performs this check automatically.\n\n## Installation\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/fityannugroho/opencodebox/main/install.sh | bash\n```\n\nThis installs `opencodebox` to `~/.local/bin/opencodebox`. Make sure `~/.local/bin` is in your PATH.\n\nVerify the installation :\n\n```bash\nopencodebox --version\n```\n\n## Usage\n\n`opencodebox` is a wrapper for the `opencode` command. All arguments are passed through to `opencode` inside the sandbox.\n\n```bash\nopencodebox [OPTIONS] [OPENCODE_ARGS...]\n```\n\n\u003e **Note:** The `opencode` command stays available when you need it. We didn't replace it.\n\n### Options\n\n`opencodebox` adds the following options :\n\n- `--with /host[:/sandbox]` - Bind host path read-write to sandbox\n- `--with-ro /host[:/sandbox]` - Bind host path read-only to sandbox\n\nThese options allow you to specify additional directories to mount inside the sandbox for read-write or read-only access.\n\n### Examples\n\n```bash\n# Run sandboxed opencode in current directory\nopencodebox\n\n# Run sandboxed opencode with read-write access to /data\nopencodebox --with /data\n\n# Run sandboxed opencode with read-write access to /mnt/data mapped to /workspace/data\nopencodebox --with /mnt/data:/workspace/data\n\n# Run sandboxed opencode with read-only access to config\nopencodebox --with-ro /etc/hosts\n\n# Run sandboxed opencode server with specified bind mounts\nopencodebox --with /data --with-ro /config serve\n```\n\n## How It Works\n\n1. Parse arguments (`--with`, `--with-ro`, `--version`, `--help`)\n2. Check prerequisites (bwrap and opencode)\n3. Load seccomp sandbox filter (see [details](#seccomp-sandbox-filter))\n4. **Enforce security restrictions**:\n   - Rejects running from `$HOME`, `~/.ssh`, `~/.gnupg`, or their ancestors\n   - Rejects sensitive paths in `--with`/`--with-ro` binds\n   - Validates `~/.ssh` directory permissions (must be `0700`)\n5. Build bubblewrap sandbox with namespace isolation and bind mounts\n6. Setup SSH (sanitized `.pub` keys, `known_hosts`, agent forwarding)\n7. Add conditional tool mounts (bun, npm, pnpm, uv, pipenv, cargo, git, mise) and extra bind mounts\n8. Execute opencode inside the sandbox\n\n## Bind Mounts Structure\n\n### Unconditional Mounts (Always Present)\n\n**Read-Only:**\n- `/usr` - System basics\n- `/etc/ssl` - SSL/TLS certificates\n- `/etc/ca-certificates` - CA certificate store\n- `/etc/alternatives` - System alternatives (managed by update-alternatives)\n- `$HOME/.local` - User local data (except keyrings/tool data)\n- `$HOME/.cache/opencode` - OpenCode cache\n- `$HOME/.ssh/*.pub` - Sanitized OpenSSH public key material, when `$HOME/.ssh` is not a symlink\n- `$HOME/.ssh/known_hosts` - SSH host key, read-only, for Git-over-SSH host verification\n- `gpg.ssh.allowedSignersFile` - Configured SSH allowed signers file (if configured)\n- OpenCode: `.config/opencode`, `.agents`\n\n**Read-Write:**\n- Current project directory (`$PWD`)\n- `$HOME/.local/share/opencode` - OpenCode application data\n\n**Tmpfs (Private, writable per-session):**\n- `/tmp` - Temporary files\n- `$HOME/.cache` - Universal cache\n- `$HOME/.local/share/keyrings` - Exclude private keyring (if exists on host)\n\n### Conditional Tool Mounts (Requires Tool Installed on Host)\n\nEach tool is mounted only when `command -v \u003ctool\u003e` succeeds on the host. If the tool is not installed, none of its directories are bound into the sandbox.\n\n| Tool | Read-Only Bind | Tmpfs |\n|------|---------------|-------|\n| **Bun** | `~/.bun` | `~/.bun/install/cache` |\n| **npm** | `~/.npmrc` | `~/.npm` |\n| **pnpm** | `~/.config/pnpm` | `~/.local/share/pnpm/store` |\n| **uv** | `~/.config/uv` | — |\n| **pipenv** | — | `~/.local/share/virtualenvs` |\n| **Rust/Cargo** | `~/.rustup`, `~/.cargo/bin`, `~/.cargo/config.toml` | `~/.cargo/registry` |\n| **Git** | `~/.gitconfig` | — |\n| **Mise** | `~/.config/mise`, `~/.local/share/mise`, `~/.cache/mise` | — |\n\n## Security Restrictions\n\n`opencodebox` enforces several security restrictions to prevent sandbox escape:\n\n- **Project directory**: Cannot run from `$HOME`, `~/.ssh`, `~/.gnupg`, or their ancestors. Use a dedicated project directory.\n- **Bind mounts**: `--with` and `--with-ro` reject paths that point to or enclose sensitive locations (`$HOME`, `~/.ssh`, `~/.gnupg`).\n- **SSH directory**: `~/.ssh` must have permissions `0700`. Fix with: `chmod 700 ~/.ssh`\n\n## SSH Agent and Git Signing\n\nIf `SSH_AUTH_SOCK` points to a valid socket, `opencodebox` forwards that socket into the sandbox. This allows SSH commit signing with keys already loaded by `ssh-add` on the host. This feature does not mount private SSH keys into the sandbox.\n\nFor Git SSH signing, use a public key path such as `~/.ssh/id_ed25519.pub`, or an inline `key::ssh-ed25519 ...` value. Validates and sanitizes `.pub` files (rejects symlinks, hardlinks, multi-line files; validates key type, base64 format, and OpenSSH key structure with `ssh-keygen`). The sandbox receives sanitized key material only (`\u003ckey-type\u003e \u003ckey-data\u003e`), so comments or extra file content are not exposed.\n\nFor Git-over-SSH network operations, `known_hosts` is mounted read-only when available. This allows host verification without exposing private keys. `~/.ssh/config` is not mounted by default because it can contain broader host-specific behavior; bind it explicitly with `--with-ro ~/.ssh/config` only when needed.\n\nFor local SSH signature verification, the configured `gpg.ssh.allowedSignersFile` is mounted read-only when it is an absolute regular file.\n\n\u003e **Note:** `.pub` validation occurs at script startup. There is a small TOCTOU window between reading and validating each `.pub` file; this is an accepted limitation of shell scripting.\n\nGit-over-SSH network operations may still need explicit read-only binds for files such as `~/.ssh/config` in custom setups. User-provided binds and the current project bind can expose private keys if they include those files, so avoid binding `~/.ssh` wholesale.\n\nForwarding an agent still lets sandboxed processes ask the agent to authenticate or sign while the socket is available. Use a dedicated signing key and consider `ssh-add -c -t 1h ~/.ssh/signing_key` for confirmation and expiry.\n\n## Seccomp Sandbox Filter\n\n`opencodebox` includes a seccomp BPF filter that blocks socket creation for several protocol families to mitigate kernel privilege escalation vulnerabilities from inside the sandbox:\n\n| Vulnerability | CVEs | Blocked Sockets |\n|---|---|---|\n| Copy Fail | [CVE-2026-31431](https://copy.fail) | `socket(AF_ALG, *, *)` |\n| Dirty Frag (ESP) | [CVE-2026-43284](https://github.com/V4bel/dirtyfrag) | `socket(AF_INET/AF_INET6, *, IPPROTO_ESP)` |\n| Dirty Frag (ESP Bypass) | [CVE-2026-43284](https://github.com/V4bel/dirtyfrag) | `socket(AF_NETLINK, *, NETLINK_XFRM)`, `setsockopt(*, IPPROTO_UDP, UDP_ENCAP, *)` |\n| Dirty Frag (RxRPC) | [CVE-2026-43500](https://github.com/V4bel/dirtyfrag) | `socket(AF_RXRPC, *, *)` |\n| Dirty Frag (IPCOMP) | [CVE-2026-43284](https://github.com/V4bel/dirtyfrag) | `socket(AF_INET/AF_INET6, *, IPPROTO_IPCOMP)` |\n\nThese are defense-in-depth mitigations and do not replace kernel patches. Supported architectures: **x86_64** and **aarch64**.\n\nThe filter is automatically applied if the corresponding `.bpf` file is available; otherwise a warning is displayed and the sandbox runs without it. The seccomp filter is stored at `~/.local/share/opencodebox/seccomp-security.bpf` after installation.\n\n### References\n\n- [Copy Fail — CVE-2026-31431](https://copy.fail)\n- [Dirty Frag — CVE-2026-43284 / CVE-2026-43500](https://github.com/V4bel/dirtyfrag)\n- [Ubuntu Security Advisory — Dirty Frag](https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available)\n- [AWS Security Bulletin — 2026-027](https://aws.amazon.com/security/security-bulletins/2026-027-aws/)\n\n## Development\n\nTo generate the seccomp BPF filter files (`.bpf`):\n\n**Dependencies:**\n- **gcc** - C compiler\n- **libseccomp-dev** - libseccomp development headers and library\n\nInstall on Ubuntu/Debian:\n```bash\nsudo apt install gcc libseccomp-dev\n```\n\n**Compile and generate:**\n```bash\n# Compile the BPF generator\ngcc -o seccomp/seccomp-security-gen seccomp/seccomp-security-gen.c -lseccomp\n\n# Generate BPF filters for each architecture\n./seccomp/seccomp-security-gen x86_64 \u003e seccomp/seccomp-security-x86_64.bpf\n./seccomp/seccomp-security-gen aarch64 \u003e seccomp/seccomp-security-aarch64.bpf\n\n# Clean up compiled generator\nrm seccomp/seccomp-security-gen\n```\n\nThe `.bpf` filter files are pre-generated and shipped with the repository, so end users do **not** need these development dependencies.\n\n## License\n\n[MIT License](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffityannugroho%2Fopencodebox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffityannugroho%2Fopencodebox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffityannugroho%2Fopencodebox/lists"}