monadical/greywall
Archived
14
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

Handle library usage and missing network namespace gracefully

Browse Source
This commit is contained in:
JY Tan
2025-12-26 16:19:07 -08:00
parent 6fdd1af057
commit 6c21e008c3
3 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/sandbox/linux.go
View File

@@ -433,11 +433,17 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, bridge *Lin
// Skip Landlock wrapper if executable is in /tmp (test binaries are built there)
// The wrapper won't work because --tmpfs /tmp hides the test binary
executableInTmp := strings.HasPrefix(fenceExePath, "/tmp/")
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != "" && !executableInTmp
// Skip Landlock wrapper if fence is being used as a library (executable is not fence)
// The wrapper re-executes the binary with --landlock-apply, which only fence understands
executableIsFence := strings.Contains(filepath.Base(fenceExePath), "fence")
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != "" && !executableInTmp && executableIsFence
if opts.Debug && executableInTmp {
fmt.Fprintf(os.Stderr, "[fence:linux] Skipping Landlock wrapper (executable in /tmp, likely a test)\n")
}
if opts.Debug && !executableIsFence {
fmt.Fprintf(os.Stderr, "[fence:linux] Skipping Landlock wrapper (running as library, not fence CLI)\n")
}
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")