summaryrefslogtreecommitdiff
path: root/go.sum
AgeCommit message (Collapse)Author
2026-05-29feat: harden bootstrap and optimize network data pathJames O'Doherty
- Security: Eliminate namespace escape risk by removing `HostBind` and enforcing `FDBind` using pre-opened host socket FDs. - Security: Replace unsafe `atoi` with `strtol` and strict validation in the C launcher to prevent malformed PID joins. - Stability: Fix PID wraparound by storing session timestamps in PID files to detect recycled PIDs. - Stability: Resolve DNS mount leaks by implementing proper unmounting of `/etc/resolv.conf` during tunnel shutdown. - Performance: Optimize `FDBind` throughput by implementing batch packet processing in the receive loop. - Deployment: Implement `memfd_create` for the C launcher to support `noexec` temporary directories and reduce disk I/O. - Maintenance: Replace external `ip` CLI dependency with native `netlink` library for robust network configuration. - Quality: Fix all `golangci-lint` errors and replace remaining panics with explicit error handling.
2026-05-29security: upgrade dependencies to remediate transitive vulnerabilitiesJames O'Doherty
Upgrades several indirect and direct dependencies to their latest safe versions, successfully resolving 26 dormant vulnerabilities identified by govulncheck. - Upgraded golang.org/x/crypto from v0.37.0 to v0.52.0 (remediating 13 CVEs) - Upgraded golang.org/x/net from v0.39.0 to v0.55.0 (remediating 12 CVEs) - Upgraded golang.org/x/sys from v0.32.0 to v0.45.0 (remediating 1 CVE) - Upgraded golang.zx2c4.com/wireguard to v0.0.0-20260522210424-ecfc5a8d5446 Ran `go mod tidy` and verified that all unit, integration, and E2E data-plane tests continue to compile and pass successfully.
2026-05-29feat: implement userspace wireguard data-path and unprivileged host fd-passingJames O'Doherty
- Implement complete rootless network namespace bootstrap via C launcher using unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET). - Resolve unprivileged network isolation blackhole via host-socket preservation (FD passing): open client UDP sockets on the host pre-isolation, clear O_CLOEXEC, and ingest them via custom `FDBind` inside the sandbox. - Implement isolated routing table automation over `tun0` (addresses, MTU, default routes). - Implement persistent, multi-process namespace sharing and joining using reference-counted PID files and the setns system call. - Write robust, self-contained E2E data plane test suites in `tests/e2e/e2e_test.go` using a mock UDP listener. - Update project documentation (`README.md` and `AGENTS.md`) to reflect completed milestones. - Ensure 100% test passing rate and zero lint/staticcheck warnings.
2026-05-22docs: update README and AGENTS.md to reflect embedded launcher architectureJames O'Doherty
2026-05-22feat: implement rootless network isolation bootstrap and C launcherJames O'Doherty
generated by cgit v1.2.3 (git 2.46.0) at 2026-06-16 00:52:43 +0000