| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-05-29 | Fix DNS leaks, lifecycle race, and editor arg splitting | James O'Doherty | |
| - DNS Leak / Isolation Bypass: Blocked glibc's systemd-resolved and D-Bus socket communication within the unprivileged mount namespace by introducing BlockHostServices(). This targeted mount-blocking forces glibc to fall back to the standard resolv.conf DNS routing path and prevents host leaks. - Lifecycle Race: Reordered and protected the reference-counting cleanup routine under the profile flock to ensure that check-and-unpin operations are atomic and do not teardown namespaces actively used by parallel processes. - Editor Arguments: Split the EDITOR environment variable into discrete field tokens before invocation to support editor configurations containing command-line flags. - Testing: Added E2E regression tests for DNS leak detection, namespace unpinning concurrency, and editor argument parsing. All E2E tests now compile and pass cleanly. | |||
| 2026-05-29 | feat: implement userspace wireguard data-path and unprivileged host fd-passing | James O'Doherty | |
| - Implement complete rootless network namespace bootstrap via C launcher using unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET). - Resolve unprivileged network isolation blackhole via host-socket preservation (FD passing): open client UDP sockets on the host pre-isolation, clear O_CLOEXEC, and ingest them via custom `FDBind` inside the sandbox. - Implement isolated routing table automation over `tun0` (addresses, MTU, default routes). - Implement persistent, multi-process namespace sharing and joining using reference-counted PID files and the setns system call. - Write robust, self-contained E2E data plane test suites in `tests/e2e/e2e_test.go` using a mock UDP listener. - Update project documentation (`README.md` and `AGENTS.md`) to reflect completed milestones. - Ensure 100% test passing rate and zero lint/staticcheck warnings. | |||
| 2026-05-22 | Security hardening: prevent shell injection and null-byte crashes, implement ↵ | James O'Doherty | |
| 8-bit clean argument fuzzing and portable E2E binary discovery | |||
| 2026-05-22 | feat: add argument verification diagnostic and secure temp files for launcher | James O'Doherty | |
| 2026-05-22 | docs: update README and AGENTS.md to reflect embedded launcher architecture | James O'Doherty | |
| 2026-05-22 | Update AGENTS.md with performance conventions and add t.Parallel to CLI tests | James O'Doherty | |
| 2026-05-22 | Implement platform compatibility stubs and update AGENTS.md | James O'Doherty | |
| 2026-05-22 | Refactor CLI for testability and implement hermetic config path injection | James O'Doherty | |
| 2026-05-22 | Scaffold wg-wrap project structure and toolchain | James O'Doherty | |
 |
index : wg-wrap.git | |
| wg-wrap runs commands in network namespaces configured with userspace wireguard tunnels. |
| summaryrefslogtreecommitdiff |