monadical/greywall
Archived
14
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

fix: handle cross-mount resolv.conf symlinks in sandbox (#32)

Browse Source
This commit is contained in:
JY Tan
2026-02-08 15:22:31 -08:00
committed by GitHub
parent b8b12ebe31
commit da5f61e390
2 changed files with 86 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/sandbox/linux_landlock.go
View File

@@ -71,6 +71,16 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin
}
}
// If /etc/resolv.conf is a cross-mount symlink (e.g., -> /mnt/wsl/resolv.conf
// on WSL), Landlock needs a read rule for the resolved target's parent dir,
// otherwise following the symlink hits EACCES.
if target, err := filepath.EvalSymlinks("/etc/resolv.conf"); err == nil && target != "/etc/resolv.conf" {
targetDir := filepath.Dir(target)
if err := ruleset.AllowRead(targetDir); err != nil && debug {
fmt.Fprintf(os.Stderr, "[fence:landlock] Warning: failed to add resolv.conf target dir %s: %v\n", targetDir, err)
}
}
// Current working directory - read access (may be upgraded to write below)
if cwd != "" {
if err := ruleset.AllowRead(cwd); err != nil && debug {