diff --git a/internal/sandbox/linux.go b/internal/sandbox/linux.go index 52135ca..d49a4de 100644 --- a/internal/sandbox/linux.go +++ b/internal/sandbox/linux.go @@ -421,10 +421,6 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, bridge *Lin // Get fence executable path for Landlock wrapper fenceExePath, _ := os.Executable() useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != "" - if useLandlockWrapper { - // Ensure fence binary is accessible inside the sandbox (it should be via ro-bind /) - // We'll call it at the end of the script to apply Landlock before running user command - } bwrapArgs = append(bwrapArgs, "--", shellPath, "-c") diff --git a/internal/sandbox/linux_ebpf.go b/internal/sandbox/linux_ebpf.go index 5c0ad8e..73ffff2 100644 --- a/internal/sandbox/linux_ebpf.go +++ b/internal/sandbox/linux_ebpf.go @@ -85,7 +85,7 @@ func (m *EBPFMonitor) Stop() { // Clean up the script file if m.scriptPath != "" { - os.Remove(m.scriptPath) + _ = os.Remove(m.scriptPath) } m.running = false @@ -110,13 +110,13 @@ func (m *EBPFMonitor) tryBpftrace(ctx context.Context) error { m.scriptPath = scriptPath // Store for cleanup later if _, err := tmpFile.WriteString(script); err != nil { - tmpFile.Close() - os.Remove(scriptPath) + _ = tmpFile.Close() + _ = os.Remove(scriptPath) return fmt.Errorf("failed to write script: %w", err) } - tmpFile.Close() + _ = tmpFile.Close() - m.cmd = exec.CommandContext(ctx, bpftracePath, tmpFile.Name()) + m.cmd = exec.CommandContext(ctx, bpftracePath, tmpFile.Name()) //nolint:gosec // bpftracePath from LookPath stdout, err := m.cmd.StdoutPipe() if err != nil { return fmt.Errorf("failed to create pipe: %w", err) @@ -252,7 +252,7 @@ func (m *EBPFMonitor) traceWithPerfEvents() { } return } - defer f.Close() + defer func() { _ = f.Close() }() // We'd need to set up tracepoints first, which requires additional setup // For now, this is a placeholder for the full implementation @@ -297,7 +297,7 @@ func CheckBpftraceAvailable() bool { } // Verify it can run (needs permissions) - cmd := exec.Command(path, "--version") + cmd := exec.Command(path, "--version") //nolint:gosec // path from LookPath return cmd.Run() == nil } diff --git a/internal/sandbox/linux_features.go b/internal/sandbox/linux_features.go index faceb75..da3ed5e 100644 --- a/internal/sandbox/linux_features.go +++ b/internal/sandbox/linux_features.go @@ -136,7 +136,7 @@ func (f *LinuxFeatures) detectLandlock() { } ret, _, err = unix.Syscall( unix.SYS_LANDLOCK_CREATE_RULESET, - uintptr(unsafe.Pointer(&attr)), + uintptr(unsafe.Pointer(&attr)), //nolint:gosec // required for syscall unsafe.Sizeof(attr), 0, ) diff --git a/internal/sandbox/linux_landlock.go b/internal/sandbox/linux_landlock.go index 1bad609..8706bf0 100644 --- a/internal/sandbox/linux_landlock.go +++ b/internal/sandbox/linux_landlock.go @@ -36,7 +36,7 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin } return nil // Graceful fallback } - defer ruleset.Close() + defer func() { _ = ruleset.Close() }() if err := ruleset.Initialize(); err != nil { if debug { @@ -184,7 +184,7 @@ func (l *LandlockRuleset) Initialize() error { fd, _, err := unix.Syscall( unix.SYS_LANDLOCK_CREATE_RULESET, - uintptr(unsafe.Pointer(&attr)), + uintptr(unsafe.Pointer(&attr)), //nolint:gosec // required for syscall unsafe.Sizeof(attr), 0, ) @@ -315,21 +315,21 @@ func (l *LandlockRuleset) addPathRule(path string, access uint64) error { } return nil // Don't fail on paths we can't access } - defer unix.Close(fd) + defer func() { _ = unix.Close(fd) }() // Intersect with handled access to avoid invalid combinations access &= l.getHandledAccessFS() attr := landlockPathBeneathAttr{ allowedAccess: access, - parentFd: int32(fd), + parentFd: int32(fd), //nolint:gosec // fd from unix.Open fits in int32 } _, _, errno := unix.Syscall( unix.SYS_LANDLOCK_ADD_RULE, uintptr(l.rulesetFd), LANDLOCK_RULE_PATH_BENEATH, - uintptr(unsafe.Pointer(&attr)), + uintptr(unsafe.Pointer(&attr)), //nolint:gosec // required for syscall ) if errno != 0 { return fmt.Errorf("failed to add Landlock rule for %s: %w", absPath, errno) diff --git a/internal/sandbox/linux_seccomp.go b/internal/sandbox/linux_seccomp.go index 5b48558..665eb89 100644 --- a/internal/sandbox/linux_seccomp.go +++ b/internal/sandbox/linux_seccomp.go @@ -133,9 +133,9 @@ func (s *SeccompFilter) writeBPFProgram(path string) error { // BPF_JMP | BPF_JEQ | BPF_K: if A == K, jump jt else jump jf program = append(program, bpfInstruction{ code: BPF_JMP | BPF_JEQ | BPF_K, - jt: 0, // if match, go to next instruction (block) - jf: 1, // if not match, skip the block instruction - k: uint32(num), + jt: 0, // if match, go to next instruction (block) + jf: 1, // if not match, skip the block instruction + k: uint32(num), //nolint:gosec // syscall numbers fit in uint32 }) // Return action (block with EPERM) @@ -152,11 +152,11 @@ func (s *SeccompFilter) writeBPFProgram(path string) error { }) // Write the program to file - f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) + f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) //nolint:gosec // path is controlled if err != nil { return err } - defer f.Close() + defer func() { _ = f.Close() }() for _, inst := range program { if err := inst.writeTo(f); err != nil {