test: add integration and smoke tests (#4)

internal/sandbox/linux_landlock.go

@@ -45,6 +45,7 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin
 	}
 
 	// Essential system paths - allow read+execute
+	// Note: /dev is handled separately with read+write for /dev/null, /dev/zero, etc.
 	systemReadPaths := []string{
 		"/usr",
 		"/lib",
@@ -54,11 +55,11 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin
 		"/sbin",
 		"/etc",
 		"/proc",
-		"/dev",
 		"/sys",
 		"/run",
 		"/var/lib",
 		"/var/cache",
+		"/opt",
 	}
 
 	for _, p := range systemReadPaths {
@@ -89,6 +90,12 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin
 		fmt.Fprintf(os.Stderr, "[fence:landlock] Warning: failed to add /tmp write path: %v\n", err)
 	}
 
+	// /dev needs read+write for /dev/null, /dev/zero, /dev/tty, etc.
+	// Landlock doesn't support rules on device files directly, so we allow the whole /dev
+	if err := ruleset.AllowReadWrite("/dev"); err != nil && debug {
+		fmt.Fprintf(os.Stderr, "[fence:landlock] Warning: failed to add /dev write path: %v\n", err)
+	}
+
 	// Socket paths for proxy communication
 	for _, p := range socketPaths {
 		dir := filepath.Dir(p)