wg-wrap runs commands in network namespaces configured with userspace wireguard tunnels. https://git.theodohertyfamily.com/wg-wrap.git/atom?h=main 2026-06-13T17:50:25Z 2026-06-13T17:50:25Z James O'Doherty james@theodohertyfamily.com 2026-06-13T17:50:25Z urn:sha1:5646eca119f80f8f45ebec9fcbe666ca614ebf5d Introduced a tiered system verification mechanism to improve reliability and provide actionable feedback to users, avoiding false positives in the critical execution path. Key changes: - Implement `CheckSystemRequirements` for critical, non-ambiguous requirements (e.g., TUN device availability) to ensure fatal environment issues are caught immediately during bootstrap. - Implement a user-facing `healthcheck` command that provides comprehensive diagnostics and actionable configuration hints for common misconfigurations (e.g., unprivileged user namespaces, subuid/subgid mappings, and kernel sysctls). - Refactor the `FileSystem` interface to support full mockability, allowing for exhaustive unit testing of diagnostic logic. - Add comprehensive unit tests in `internal/namespace/preflight_test.go` covering various Linux distributions, privilege levels, and hardware availability scenarios. - Ensure code quality through formatting, static analysis (golangci-lint), and validation of all existing unit, integration, and E2E tests. 2026-06-13T15:51:04Z James O'Doherty james@theodohertyfamily.com 2026-06-13T15:51:04Z urn:sha1:29621ecbd1e77e6e1a70b6b3ea8fbe3a56e47df3 This commit refactors the core system operations to use a manager-based dependency injection pattern, eliminating global state and resolving data races in the test suite. Architecture: - Introduced NetworkManager and NetworkOps interface in internal/network to abstract netlink calls. - Introduced MountOps and FileSystem interfaces in internal/namespace to abstract mount and filesystem operations. - Introduced TunnelManager in internal/wireguard to coordinate tunnel lifecycle using the new abstractions. - Updated internal/cli and internal/manager to use these managers. Testing: - Restored t.Parallel() to unit tests in internal/network and internal/wireguard. - Implemented setupParallelEnv and an enhanced mockFS in wireguard_unit_test.go to ensure complete test isolation. - Added bootstrap_test.go to verify launcher preparation logic in internal/namespace without requiring syscall.Exec. - Resolved data races in internal/network tests. CLI: - Added support for -h, --help, and -help flags for the main command. Verification: - Passed all tests (unit, integration, E2E). - Verified zero data races with 'go test -race'. - Passed golangci-lint and go vet. 2026-06-05T03:09:46Z James O'Doherty james@theodohertyfamily.com 2026-06-05T03:09:46Z urn:sha1:78059b43e3d00a0f2b75677461692745cce34a63 Eliminate the external dependency on the `ip` (iproute2) command-line tool by centralizing network configuration and diagnostics within a new `internal/network` package using the `netlink` library. Changes: - Introduced `internal/network` package to handle network interface listing and configuration. - Replaced `exec.Command("ip", "link")` in `internal/namespace.VerifyIsolation` with `network.ListInterfaces()`. - Improved `VerifyIsolation` to explicitly ensure only the loopback interface is present in a fresh network namespace. - Moved interface and routing configuration logic from `internal/wireguard` to `internal/network`. - Removed unnecessary `os/exec` imports from network-related files. This change increases the tool's portability by removing the requirement for `iproute2` to be installed in the target environment. 2026-06-05T02:57:35Z James O'Doherty james@theodohertyfamily.com 2026-06-05T02:57:35Z urn:sha1:04dca5dada8c2d971ff3b54eeedc5ab6e53a29ac - Introduce `namespace.Ops` interface to decouple `Manager` from system-level namespace operations, enabling easier unit testing via mocks. - Add unit tests for `internal/paths` to verify path resolution logic across different environment configurations. - Implement `EnsureBinary` helper in E2E tests to gracefully skip tests when `WG_WRAP_BIN` is not set, allowing `go test ./...` to pass in non-build environments. - Apply project-wide formatting and fix linting issues. 2026-06-05T02:38:44Z James O'Doherty james@theodohertyfamily.com 2026-06-05T02:38:44Z urn:sha1:66b782e261f1cd928ad6a8482788a65fb484db45 - Extract orchestration logic from `internal/cli` into a new `internal/manager` package for better composability. - Migrate technical implementation details from README.md to package-level godoc strings. - Rewrite README.md to be more user-centric, focusing on quick start and usage. - Add comprehensive documentation for exported structs and fields across the project. - Verify all changes with `go fmt`, `go vet`, `golangci-lint`, and full E2E test suite. 2026-05-30T01:07:46Z James O'Doherty james@theodohertyfamily.com 2026-05-30T01:07:46Z urn:sha1:d2173cdbc03884ecd9534e9369f8ebe1634f7e9c - Security: Eliminate namespace escape risk by removing `HostBind` and enforcing `FDBind` using pre-opened host socket FDs. - Security: Replace unsafe `atoi` with `strtol` and strict validation in the C launcher to prevent malformed PID joins. - Stability: Fix PID wraparound by storing session timestamps in PID files to detect recycled PIDs. - Stability: Resolve DNS mount leaks by implementing proper unmounting of `/etc/resolv.conf` during tunnel shutdown. - Performance: Optimize `FDBind` throughput by implementing batch packet processing in the receive loop. - Deployment: Implement `memfd_create` for the C launcher to support `noexec` temporary directories and reduce disk I/O. - Maintenance: Replace external `ip` CLI dependency with native `netlink` library for robust network configuration. - Quality: Fix all `golangci-lint` errors and replace remaining panics with explicit error handling. 2026-05-30T00:42:23Z James O'Doherty james@theodohertyfamily.com 2026-05-30T00:42:23Z urn:sha1:b7745456d67f48f56ba94e47946e40805b6ef1ee - Simplify namespace bootstrapping by introducing `prepareLauncher` helper - Implement a cleanup stack in `StartTunnel` to ensure orderly resource release on error - Streamline temporary file and mount lifecycles in `ConfigureResolvConf` and `BlockHostServices` - Ensure `Tunnel.Close()` also closes the underlying TUN device - Reduce redundant manual cleanup calls using defer-based error handling 2026-05-30T00:11:07Z James O'Doherty james@theodohertyfamily.com 2026-05-30T00:11:07Z urn:sha1:4ddd0d2ffc7073f2d55ffb6777e3a168af0051f0 Fix an architectural shortfall where concurrent sessions failed to share the target network and mount namespaces. Because the Go runtime is multi-threaded, calling unix.Setns with CLONE_NEWNS from Go always returned EINVAL, silently forcing concurrent runs to fall back to bootstrapping separate isolated namespaces and separate WireGuard connections. This commit resolves the issue by extending the embedded single-threaded C launcher to handle namespace joining, and introducing a host-to-isolated path propagation pattern: 1. Launcher setns Support: The C launcher now checks for WG_WRAP_JOIN_PID in the environment. If present, it joins the User, Mount, and Network namespaces of the active PID in single-threaded mode before executing the Go binary. 2. BootstrapJoin Integration: Implemented namespace.BootstrapJoin to transition joining sessions via the launcher. 3. Path Preservation: Export WG_WRAP_HOST_RUNTIME_BASE_DIR from the host to ensure the isolated instance maps the profile and PID directories to the exact same location. 4. Redundant Tunnel Bypass: Detect joined sessions via WG_WRAP_JOINED=1 in the CLI and bypass starting a duplicate WireGuard tunnel on the occupied tun0. 5. Testing: Added tests/e2e/sharing_test.go to assert namespace ID equality, which now passes successfully. 6. Git Tracking: Fixed .gitignore overmatch to stop ignoring cmd/wg-wrap/. 2026-05-29T23:41:28Z James O'Doherty james@theodohertyfamily.com 2026-05-29T23:41:28Z urn:sha1:c6a1240e469ff8170cf31b39a01c1cb08fdb86f4 This commit addresses several security vulnerabilities, undefined behaviors, race conditions, and resource leaks across the application: 1. Path Traversal & Arbitrary File/Directory Actions: - Implemented `IsValidProfileName` in `internal/cli/cli.go` to restrict profile names to alphanumeric characters, dashes, and underscores. - Applied validation to all CLI paths (`--profile`, `import`, `configure`, `delete`, `stop`) to prevent directory traversal and unauthorized directory or file creations/deletions. - Added `TestIsValidProfileName` in `internal/cli/cli_test.go`. 2. Network Namespace Escape via Compromised Thread recycling: - Fixed `HostBind.Open` in `internal/wireguard/wireguard.go` to panic immediately instead of returning an error if restoring the isolated namespace fails. This prevents Go from returning the compromised thread (still in host namespace) to the runtime pool. 3. Concurrency Race Conditions & Thread Migration: - Added `runtime.LockOSThread()` in `JoinExistingNamespace` (`internal/namespace/pinning.go`) to ensure the goroutine stays on the modified namespace thread before executing the command. - Implemented profile locking using advisory file locks (`unix.Flock`) on a `.lock` file in the user's runtime directory (with platform stubs in `internal/namespace/lock_linux.go` and `internal/namespace/lock_stub.go`). - Integrated locking during `App.Run` and `App.ExecuteCommand`, releasing the lock right before spawning the wrapped process. 4. File Descriptor Leaks on Bootstrap Failures: - Refactored `Bootstrap()` in `internal/namespace/namespace.go` to use named return values and a deferred cleanup loop that closes `execFd`, `hostNetFd`, and the duplicated `hostSocketFd` if `syscall.Exec` fails. - Added an explicit `conn.Close()` on the original socket connection after duplication. 5. Glibc Undefined Behavior / Crash on argc == 0: - Corrected `internal/namespace/launcher_src/launcher.c` to not reference `argv[0]` when `argc < 1`. Recompiled `internal/namespace/launcher.bin`. 6. DNS Fallback Usability & Import Safety: - Added validation in `ExecuteCommand` to issue a warning when falling back to `1.1.1.1` if the configuration does not route all traffic (`0.0.0.0/0` or `::/0`). - Prevented silent overwrites in `handleProfileImport` if the destination profile already exists, and added a corresponding unit test verifying failure. 2026-05-29T23:21:49Z James O'Doherty james@theodohertyfamily.com 2026-05-29T23:21:49Z urn:sha1:70096b533d42b684ab13651aaae884047e01e43d - Unlink the temporary bootstrap launcher binary immediately after opening a read-only descriptor to it, then execute via `/proc/self/fd/<fd>` to ensure zero-disk footprint on execution. - Unlink temporary `/tmp/resolvconf*` files immediately after successful bind-mounting over `/etc/resolv.conf`. - Prune parent ephemeral profile directories when unpinning a namespace, leaving zero directories behind once empty. - Propagate the exact exit status of the wrapped command to the host process using `errors.As` and `*exec.ExitError` instead of defaulting to exit code 1. - Added E2E automated test `TestExitCodePropagation` to verify exit status delivery. - Added the `$(BINARY)` target to `.PHONY` in the Makefile to delegate dependency tracking to Go's compiler cache, ensuring modified Go files are rebuilt during `make test`.