greywall

monadical/greywall

Archived

Fork 0

Commit Graph

Author	SHA1	Message	Date
Mathieu Virbel	c95fca830b	docs: add Linux deny-by-default lessons to experience.md Document three issues encountered during --tmpfs / isolation: symlinked system dirs on merged-usr distros, Landlock denying reads on bind-mounted /dev/null, and mandatory deny paths overriding sensitive file masks.	2026-02-12 20:16:37 -06:00
Mathieu Virbel	b55b3364af	feat: add dependency status to --version and document AppArmor userns fix Some checks failed Build and test / Build (push) Successful in 11s Details Build and test / Lint (push) Failing after 1m24s Details Build and test / Test (Linux) (push) Failing after 40s Details Build and test / Test (macOS) (push) Has been cancelled Details Show installed dependencies, security features, and transparent proxy availability when running --version. Detect AppArmor unprivileged_userns restriction on Ubuntu 24.04+ and suggest the fix. Document the RTM_NEWADDR issue in experience.md.	2026-02-11 19:31:24 -06:00
Mathieu Virbel	3dd772d35a	feat: add --learning mode, --template flag, and fix DNS relay Some checks failed Build and test / Lint (push) Failing after 1m29s Details Build and test / Build (push) Successful in 13s Details Build and test / Test (Linux) (push) Failing after 58s Details Build and test / Test (macOS) (push) Has been cancelled Details Learning mode (--learning) traces filesystem access with strace and generates minimal sandbox config templates. A background monitor kills strace when the main command exits so long-lived child processes (LSP servers, file watchers) don't cause hangs. Other changes: - Add 'greywall templates list/show' subcommand - Add --template flag to load specific learned templates - Fix DNS relay: use TCP DNS (options use-vc) instead of broken UDP relay through tun2socks - Filter O_DIRECTORY opens from learned read paths - Add docs/experience.md with development notes	2026-02-11 08:22:53 -06:00

Author

SHA1

Message

Date

Mathieu Virbel

c95fca830b

docs: add Linux deny-by-default lessons to experience.md

Document three issues encountered during --tmpfs / isolation:
symlinked system dirs on merged-usr distros, Landlock denying
reads on bind-mounted /dev/null, and mandatory deny paths
overriding sensitive file masks.

2026-02-12 20:16:37 -06:00

Mathieu Virbel

b55b3364af

feat: add dependency status to --version and document AppArmor userns fix

Build and test / Build (push) Successful in 11s

Details

Build and test / Lint (push) Failing after 1m24s

Details

Build and test / Test (Linux) (push) Failing after 40s

Details

Build and test / Test (macOS) (push) Has been cancelled

Details

Show installed dependencies, security features, and transparent proxy
availability when running --version. Detect AppArmor
unprivileged_userns restriction on Ubuntu 24.04+ and suggest the fix.
Document the RTM_NEWADDR issue in experience.md.

2026-02-11 19:31:24 -06:00

Mathieu Virbel

3dd772d35a

feat: add --learning mode, --template flag, and fix DNS relay

Build and test / Lint (push) Failing after 1m29s

Details

Build and test / Build (push) Successful in 13s

Details

Build and test / Test (Linux) (push) Failing after 58s

Details

Build and test / Test (macOS) (push) Has been cancelled

Details

Learning mode (--learning) traces filesystem access with strace and
generates minimal sandbox config templates. A background monitor kills
strace when the main command exits so long-lived child processes (LSP
servers, file watchers) don't cause hangs.

Other changes:
- Add 'greywall templates list/show' subcommand
- Add --template flag to load specific learned templates
- Fix DNS relay: use TCP DNS (options use-vc) instead of broken UDP
  relay through tun2socks
- Filter O_DIRECTORY opens from learned read paths
- Add docs/experience.md with development notes

2026-02-11 08:22:53 -06:00

3 Commits