monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

fix: bind-mount greywall binary for Landlock wrapper re-execution
Some checks failed
Build and test / Build (push) Successful in 16s
Details
Build and test / Lint (push) Failing after 1m19s
Details
Build and test / Test (Linux) (push) Failing after 42s
Details

Browse Source 
The Landlock wrapper re-executes the greywall binary inside the sandbox
with --landlock-apply. When greywall is run from a path outside the CWD
(e.g., ~/bin/greywall from /home/user/project), the binary doesn't exist
inside the sandbox because only system paths and CWD are mounted. This
adds a --ro-bind for the greywall executable so the wrapper always works
regardless of where the binary is located.
This commit is contained in:
Mathieu Virbel
2026-02-22 16:56:45 -06:00
parent ed6517cc24
commit 62bf37d481
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/sandbox/linux.go
View File

@@ -976,6 +976,14 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping Landlock wrapper (running as library, not greywall CLI)\n")
}
// Bind-mount the greywall binary into the sandbox so the Landlock wrapper
// can re-execute it. Without this, running greywall from a directory that
// isn't the CWD (e.g., ~/bin/greywall from /home/user/project) would fail
// because the binary path doesn't exist inside the sandbox.
if useLandlockWrapper && greywallExePath != "" {
bwrapArgs = append(bwrapArgs, "--ro-bind", greywallExePath, greywallExePath)
}
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")
// Build the inner command that sets up tun2socks and runs the user command