| Age | Commit message (Collapse) | Author |
|---|
|
Prevent the ambiguity where a mistyped subcommand was interpreted as the target
wrapped process.
- Introduce `run` and `exec` (alias) subcommands for launching wrapped processes.
- Promote internal test commands (`test-ns`, `test-args`, `test-lifecycle`) to explicit subcommands.
- Update CLI routing to return an error for unknown subcommands instead of falling back to the default execution path.
- Update `README.md` usage examples and all test suites to use the new subcommand structure.
|
|
- Fix DNS resolver leaks by creating temporary resolv.conf files within the profile's runtime directory and ensuring robust cleanup.
- Fix isolation block directory leaks by explicitly removing the block directory during namespace unpinning.
- Improve namespace lifecycle management:
- Register processes before joining an active namespace to prevent race conditions in reference counting.
- Update `IsLastProcess` and corresponding tests to reflect the unregister-then-check cleanup flow.
- Improve test reliability and correctness:
- Convert `TestAppRun_ProfileDirInjection` to use separate binary execution, preventing process replacement and ensuring `t.TempDir()` cleanup.
- Replace hardcoded test configuration paths with `t.TempDir()` in `mount_leak_test.go`.
- Implement `SetEnvOverrides` helper for cleaner environment variable management in E2E tests.
- Improve E2E lifecycle tests with better environment handling and output redirection.
|
|
- Added `test-lifecycle` CLI command to verify active session state.
- Replaced manual filesystem polling and `time.Sleep` in E2E tests with `waitForLifecycle` synchronization.
- Optimized `TestConfigHotSwap` by reducing artificial sleep durations.
- Fixed linting issue (ST1023) in `internal/cli/cli.go`.
These changes reduce total test execution time to under 15 seconds and improve the determinism of lifecycle verification.
|
|
concurrency races, and resource leaks
This commit addresses several security vulnerabilities, undefined behaviors, race conditions, and resource leaks across the application:
1. Path Traversal & Arbitrary File/Directory Actions:
- Implemented `IsValidProfileName` in `internal/cli/cli.go` to restrict profile names to alphanumeric characters, dashes, and underscores.
- Applied validation to all CLI paths (`--profile`, `import`, `configure`, `delete`, `stop`) to prevent directory traversal and unauthorized directory or file creations/deletions.
- Added `TestIsValidProfileName` in `internal/cli/cli_test.go`.
2. Network Namespace Escape via Compromised Thread recycling:
- Fixed `HostBind.Open` in `internal/wireguard/wireguard.go` to panic immediately instead of returning an error if restoring the isolated namespace fails. This prevents Go from returning the compromised thread (still in host namespace) to the runtime pool.
3. Concurrency Race Conditions & Thread Migration:
- Added `runtime.LockOSThread()` in `JoinExistingNamespace` (`internal/namespace/pinning.go`) to ensure the goroutine stays on the modified namespace thread before executing the command.
- Implemented profile locking using advisory file locks (`unix.Flock`) on a `.lock` file in the user's runtime directory (with platform stubs in `internal/namespace/lock_linux.go` and `internal/namespace/lock_stub.go`).
- Integrated locking during `App.Run` and `App.ExecuteCommand`, releasing the lock right before spawning the wrapped process.
4. File Descriptor Leaks on Bootstrap Failures:
- Refactored `Bootstrap()` in `internal/namespace/namespace.go` to use named return values and a deferred cleanup loop that closes `execFd`, `hostNetFd`, and the duplicated `hostSocketFd` if `syscall.Exec` fails.
- Added an explicit `conn.Close()` on the original socket connection after duplication.
5. Glibc Undefined Behavior / Crash on argc == 0:
- Corrected `internal/namespace/launcher_src/launcher.c` to not reference `argv[0]` when `argc < 1`. Recompiled `internal/namespace/launcher.bin`.
6. DNS Fallback Usability & Import Safety:
- Added validation in `ExecuteCommand` to issue a warning when falling back to `1.1.1.1` if the configuration does not route all traffic (`0.0.0.0/0` or `::/0`).
- Prevented silent overwrites in `handleProfileImport` if the destination profile already exists, and added a corresponding unit test verifying failure.
|
|
- Implement complete rootless network namespace bootstrap via C launcher using unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET).
- Resolve unprivileged network isolation blackhole via host-socket preservation (FD passing): open client UDP sockets on the host pre-isolation, clear O_CLOEXEC, and ingest them via custom `FDBind` inside the sandbox.
- Implement isolated routing table automation over `tun0` (addresses, MTU, default routes).
- Implement persistent, multi-process namespace sharing and joining using reference-counted PID files and the setns system call.
- Write robust, self-contained E2E data plane test suites in `tests/e2e/e2e_test.go` using a mock UDP listener.
- Update project documentation (`README.md` and `AGENTS.md`) to reflect completed milestones.
- Ensure 100% test passing rate and zero lint/staticcheck warnings.
|
|
- Create internal/paths package for unified config and runtime directory resolution
- Implement robust WireGuard config parsing in pkg/wgconf
- Implement profile management subcommands: list, import, configure, delete, stop
- Fix namespace pinning path collisions (separating .ns files from pids directories)
- Implement and verify namespace unpinning logic
- Fix linting errors and improve error handling across the project
|
|
counting
|
|
|
|
|
