monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

Handle library usage and missing network namespace gracefully

Browse Source
This commit is contained in:
JY Tan
2025-12-26 16:19:07 -08:00
parent 6fdd1af057
commit 6c21e008c3
3 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/sandbox/linux.go
View File

@@ -433,11 +433,17 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, bridge *Lin
// Skip Landlock wrapper if executable is in /tmp (test binaries are built there)
// The wrapper won't work because --tmpfs /tmp hides the test binary
executableInTmp := strings.HasPrefix(fenceExePath, "/tmp/")
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != "" && !executableInTmp
// Skip Landlock wrapper if fence is being used as a library (executable is not fence)
// The wrapper re-executes the binary with --landlock-apply, which only fence understands
executableIsFence := strings.Contains(filepath.Base(fenceExePath), "fence")
useLandlockWrapper := opts.UseLandlock && features.CanUseLandlock() && fenceExePath != "" && !executableInTmp && executableIsFence
if opts.Debug && executableInTmp {
fmt.Fprintf(os.Stderr, "[fence:linux] Skipping Landlock wrapper (executable in /tmp, likely a test)\n")
}
if opts.Debug && !executableIsFence {
fmt.Fprintf(os.Stderr, "[fence:linux] Skipping Landlock wrapper (running as library, not fence CLI)\n")
}
bwrapArgs = append(bwrapArgs, "--", shellPath, "-c")

1
internal/sandbox/linux_features_stub.go
View File

@@ -14,6 +14,7 @@ type LinuxFeatures struct {
HasEBPF bool
HasCapBPF bool
HasCapRoot bool
CanUnshareNet bool
KernelMajor int
KernelMinor int
}

6
internal/sandbox/manager.go
View File

@@ -76,7 +76,9 @@ func (m *Manager) Initialize() error {
m.linuxBridge = bridge
// Set up reverse bridge for exposed ports (inbound connections)
if len(m.exposedPorts) > 0 {
// Only needed when network namespace is available - otherwise they share the network
features := DetectLinuxFeatures()
if len(m.exposedPorts) > 0 && features.CanUnshareNet {
reverseBridge, err := NewReverseBridge(m.exposedPorts, m.debug)
if err != nil {
m.linuxBridge.Cleanup()
@@ -85,6 +87,8 @@ func (m *Manager) Initialize() error {
return fmt.Errorf("failed to initialize reverse bridge: %w", err)
}
m.reverseBridge = reverseBridge
} else if len(m.exposedPorts) > 0 && m.debug {
m.logDebug("Skipping reverse bridge (no network namespace, ports accessible directly)")
}
}