wg-wrap.git/Makefile, branch mainwg-wrap runs commands in network namespaces configured with userspace wireguard tunnels.
https://git.theodohertyfamily.com/wg-wrap.git/atom?h=main2026-05-29T23:56:45ZFix DNS leaks, lifecycle race, and editor arg splitting2026-05-29T23:56:45ZJames O'Dohertyjames@theodohertyfamily.com2026-05-29T23:56:45Zurn:sha1:a7c7fa9e76c9c7015c31378062aa5d0c17b0f38f
- DNS Leak / Isolation Bypass: Blocked glibc's systemd-resolved and
D-Bus socket communication within the unprivileged mount namespace by
introducing BlockHostServices(). This targeted mount-blocking forces
glibc to fall back to the standard resolv.conf DNS routing path and
prevents host leaks.
- Lifecycle Race: Reordered and protected the reference-counting
cleanup routine under the profile flock to ensure that check-and-unpin
operations are atomic and do not teardown namespaces actively used
by parallel processes.
- Editor Arguments: Split the EDITOR environment variable into discrete
field tokens before invocation to support editor configurations
containing command-line flags.
- Testing: Added E2E regression tests for DNS leak detection,
namespace unpinning concurrency, and editor argument parsing. All E2E
tests now compile and pass cleanly.
refactor: optimize file cleanups, propagate exit codes, and fix Makefile2026-05-29T23:21:49ZJames O'Dohertyjames@theodohertyfamily.com2026-05-29T23:21:49Zurn:sha1:70096b533d42b684ab13651aaae884047e01e43d
- Unlink the temporary bootstrap launcher binary immediately after opening a read-only descriptor to it, then execute via `/proc/self/fd/<fd>` to ensure zero-disk footprint on execution.
- Unlink temporary `/tmp/resolvconf*` files immediately after successful bind-mounting over `/etc/resolv.conf`.
- Prune parent ephemeral profile directories when unpinning a namespace, leaving zero directories behind once empty.
- Propagate the exact exit status of the wrapped command to the host process using `errors.As` and `*exec.ExitError` instead of defaulting to exit code 1.
- Added E2E automated test `TestExitCodePropagation` to verify exit status delivery.
- Added the `$(BINARY)` target to `.PHONY` in the Makefile to delegate dependency tracking to Go's compiler cache, ensuring modified Go files are rebuilt during `make test`.
Fix PID lifecycle race and improve CLI routing for diagnostic commands2026-05-22T15:37:57ZJames O'Dohertyjames@theodohertyfamily.com2026-05-22T15:37:57Zurn:sha1:e5bbb969a15c569cf7d37634234a71783f628390Refactor lifecycle to support XDG_RUNTIME_DIR and fix binary pathing in E2E tests2026-05-22T15:20:24ZJames O'Dohertyjames@theodohertyfamily.com2026-05-22T15:20:24Zurn:sha1:079e4240534cbdc8751f1a127def20f2d1e58da6Implement automatic namespace lifecycle cleanup with last-man-out reference counting2026-05-22T15:12:21ZJames O'Dohertyjames@theodohertyfamily.com2026-05-22T15:12:21Zurn:sha1:3b56ccecf46b83fa9b0e4b6c54be6ffda395910cUpdate Makefile and README to standardize build/test process and lauch fuzzer2026-05-22T14:51:00ZJames O'Dohertyjames@theodohertyfamily.com2026-05-22T14:51:00Zurn:sha1:cefff85a054d64f124aa1f3e91b9425695aa210bSecurity hardening: prevent shell injection and null-byte crashes, implement 8-bit clean argument fuzzing and portable E2E binary discovery2026-05-22T14:46:02ZJames O'Dohertyjames@theodohertyfamily.com2026-05-22T14:46:02Zurn:sha1:9131b0004e7c640cc028179e1d049a4c62210d94feat: implement rootless network isolation bootstrap and C launcher2026-05-22T14:05:38ZJames O'Dohertyjames@theodohertyfamily.com2026-05-22T14:05:38Zurn:sha1:764d3e67fc783c487f42d398d1b85a5a1f0d8ef0