monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

Add TODO comment

Browse Source
This commit is contained in:
JY Tan
2026-02-02 11:53:40 -08:00
parent 37b154bc94
commit 8630789c39
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/sandbox/linux.go
View File

@@ -481,9 +481,13 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, bridge *Lin
// Note: We only use concrete paths from getMandatoryDenyPaths(), NOT glob expansion. // Note: We only use concrete paths from getMandatoryDenyPaths(), NOT glob expansion.
// GetMandatoryDenyPatterns() returns expensive **/pattern globs that require walking // GetMandatoryDenyPatterns() returns expensive **/pattern globs that require walking
// the entire directory tree - this can hang on large directories (see issue #27). // the entire directory tree - this can hang on large directories (see issue #27).
// The concrete paths already cover dangerous files in cwd and home directory, //
// which is sufficient protection for bwrap's --ro-bind. Landlock (applied separately // The concrete paths cover dangerous files in cwd and home directory. Files like
// via the wrapper) provides additional recursive protection. // .bashrc in subdirectories are not protected, but this may be lower-risk since shell
// rc files in project subdirectories are uncommon and not automatically sourced.
//
// TODO: consider depth-limited glob expansion (e.g., max 3 levels) to protect
// subdirectory dangerous files without full tree walks that hang on large dirs.
mandatoryDeny := getMandatoryDenyPaths(cwd) mandatoryDeny := getMandatoryDenyPaths(cwd)
// Deduplicate // Deduplicate