Created
December 14, 2025 09:31
-
-
Save esynr3z/31e34a8e5037079ff0c9a3b2f1b39c2c to your computer and use it in GitHub Desktop.
firejail wrapper for codex-cli
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # firejail wrapper for codex-cli | |
| # | |
| # - it requires that codex is logged in at host | |
| # - it creates .codex temprorary directory in current pwd | |
| # - codex home is moved to the current temp directory to store conversations and history | |
| # - no files are available to codex outside current working directory | |
| set -euo pipefail | |
| # Setup variables | |
| CODEX_BIN="${CODEX_BIN:-codex}" | |
| REALPWD="$(pwd -P)" # no syminks | |
| AUTH_SRC="${HOME}/.codex/auth.json" | |
| AUTH_DST="${REALPWD}/.codex/auth.json" | |
| # Check binaries and authorization file | |
| command -v firejail >/dev/null 2>&1 || { echo "firejail not found in PATH" >&2; exit 127; } | |
| command -v "${CODEX_BIN}" >/dev/null 2>&1 || { echo "codex not found (set CODEX_BIN if needed)" >&2; exit 127; } | |
| [[ -f "${AUTH_SRC}" ]] || { echo "Missing auth file: ${AUTH_SRC}. Run 'codex login'." >&2; exit 1; } | |
| # Install authorization file | |
| mkdir -p "$(dirname "${AUTH_DST}")" | |
| if [[ ! -f "${AUTH_DST}" || "${AUTH_SRC}" -nt "${AUTH_DST}" ]]; then | |
| install -m 600 "${AUTH_SRC}" "${AUTH_DST}" | |
| fi | |
| export CODEX_HOME=${REALPWD}/.codex | |
| exec firejail \ | |
| --noprofile \ | |
| --whitelist="${REALPWD}" \ | |
| --private-cwd="${REALPWD}" \ | |
| --private-tmp \ | |
| --private-dev \ | |
| -- \ | |
| "${CODEX_BIN}" "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment