monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

Enhance Linux sandbox security features with Landlock, seccomp, and eBPF monitoring

Browse Source
This commit is contained in:
JY Tan
2025-12-25 17:33:55 -08:00
parent a8158a39b3
commit 08ed28f88f
20 changed files with 2820 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
internal/sandbox/linux_stub.go Normal file
View File

@@ -0,0 +1,72 @@
//go:build !linux
package sandbox
import (
"fmt"
"github.com/Use-Tusk/fence/internal/config"
)
// LinuxBridge is a stub for non-Linux platforms.
type LinuxBridge struct {
HTTPSocketPath string
SOCKSSocketPath string
}
// ReverseBridge is a stub for non-Linux platforms.
type ReverseBridge struct {
Ports []int
SocketPaths []string
}
// LinuxSandboxOptions is a stub for non-Linux platforms.
type LinuxSandboxOptions struct {
UseLandlock bool
UseSeccomp bool
UseEBPF bool
Monitor bool
Debug bool
}
// NewLinuxBridge returns an error on non-Linux platforms.
func NewLinuxBridge(httpProxyPort, socksProxyPort int, debug bool) (*LinuxBridge, error) {
return nil, fmt.Errorf("Linux bridge not available on this platform")
}
// Cleanup is a no-op on non-Linux platforms.
func (b *LinuxBridge) Cleanup() {}
// NewReverseBridge returns an error on non-Linux platforms.
func NewReverseBridge(ports []int, debug bool) (*ReverseBridge, error) {
return nil, fmt.Errorf("reverse bridge not available on this platform")
}
// Cleanup is a no-op on non-Linux platforms.
func (b *ReverseBridge) Cleanup() {}
// WrapCommandLinux returns an error on non-Linux platforms.
func WrapCommandLinux(cfg *config.Config, command string, bridge *LinuxBridge, reverseBridge *ReverseBridge, debug bool) (string, error) {
return "", fmt.Errorf("Linux sandbox not available on this platform")
}
// WrapCommandLinuxWithOptions returns an error on non-Linux platforms.
func WrapCommandLinuxWithOptions(cfg *config.Config, command string, bridge *LinuxBridge, reverseBridge *ReverseBridge, opts LinuxSandboxOptions) (string, error) {
return "", fmt.Errorf("Linux sandbox not available on this platform")
}
// StartLinuxMonitor returns nil on non-Linux platforms.
func StartLinuxMonitor(pid int, opts LinuxSandboxOptions) (*LinuxMonitors, error) {
return nil, nil
}
// LinuxMonitors is a stub for non-Linux platforms.
type LinuxMonitors struct{}
// Stop is a no-op on non-Linux platforms.
func (m *LinuxMonitors) Stop() {}
// PrintLinuxFeatures prints a message on non-Linux platforms.
func PrintLinuxFeatures() {
fmt.Println("Linux sandbox features are only available on Linux.")
}