From a7c7fa9e76c9c7015c31378062aa5d0c17b0f38f Mon Sep 17 00:00:00 2001 From: James O'Doherty Date: Fri, 29 May 2026 19:56:45 -0400 Subject: Fix DNS leaks, lifecycle race, and editor arg splitting - DNS Leak / Isolation Bypass: Blocked glibc's systemd-resolved and D-Bus socket communication within the unprivileged mount namespace by introducing BlockHostServices(). This targeted mount-blocking forces glibc to fall back to the standard resolv.conf DNS routing path and prevents host leaks. - Lifecycle Race: Reordered and protected the reference-counting cleanup routine under the profile flock to ensure that check-and-unpin operations are atomic and do not teardown namespaces actively used by parallel processes. - Editor Arguments: Split the EDITOR environment variable into discrete field tokens before invocation to support editor configurations containing command-line flags. - Testing: Added E2E regression tests for DNS leak detection, namespace unpinning concurrency, and editor argument parsing. All E2E tests now compile and pass cleanly. --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 0597d84..3ae72ea 100644 --- a/Makefile +++ b/Makefile @@ -27,10 +27,13 @@ $(BINARY): $(LAUNCHER_BIN) $(LAUNCHER_BIN): $(LAUNCHER_SRC) $(CC) $(CFLAGS) $(LAUNCHER_SRC) -o $(LAUNCHER_BIN) +# Test arguments (can be overridden from CLI: make test TEST_ARGS="-run TestName") +TEST_ARGS ?= -timeout 30s + # Run tests test: $(BINARY) @echo "Running tests with WG_WRAP_BIN=$(shell pwd)/$(BINARY)" - WG_WRAP_BIN=$(shell pwd)/$(BINARY) go test -v -race ./... + WG_WRAP_BIN=$(shell pwd)/$(BINARY) go test -v -race $(TEST_ARGS) ./... # Run fuzzing tests fuzz: clean -- cgit v1.2.3