fix: bind-mount greywall binary for Landlock wrapper re-execution
The Landlock wrapper re-executes the greywall binary inside the sandbox with --landlock-apply. When greywall is run from a path outside the CWD (e.g., ~/bin/greywall from /home/user/project), the binary doesn't exist inside the sandbox because only system paths and CWD are mounted. This adds a --ro-bind for the greywall executable so the wrapper always works regardless of where the binary is located.
This commit is contained in:
@@ -976,6 +976,14 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
|
|||||||
fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping Landlock wrapper (running as library, not greywall CLI)\n")
|
fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping Landlock wrapper (running as library, not greywall CLI)\n")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Bind-mount the greywall binary into the sandbox so the Landlock wrapper
|
||||||
|
// can re-execute it. Without this, running greywall from a directory that
|
||||||
|
// isn't the CWD (e.g., ~/bin/greywall from /home/user/project) would fail
|
||||||
|
// because the binary path doesn't exist inside the sandbox.
|
||||||
|
if useLandlockWrapper && greywallExePath != "" {
|
||||||
|
bwrapArgs = append(bwrapArgs, "--ro-bind", greywallExePath, greywallExePath)
|
||||||
|
}
|
||||||
|
|
||||||
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")
|
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")
|
||||||
|
|
||||||
// Build the inner command that sets up tun2socks and runs the user command
|
// Build the inner command that sets up tun2socks and runs the user command
|
||||||
|
|||||||
Reference in New Issue
Block a user