fix: resolve symlinked dotfiles and allowRead paths in sandbox#36
Open
fix: resolve symlinked dotfiles and allowRead paths in sandbox#36
Conversation
Users who manage dotfiles with GNU Stow or similar tools have shell configs (.zshrc, .gitconfig, etc.) as symlinks. In deny-by-default mode, canMountOver() rejected symlinks entirely, so these files were silently skipped, making them invisible inside the sandbox. Changes: - Shell config files (.bashrc, .zshrc, etc.) that are symlinks are now resolved: the real file is bound at the symlink path via --ro-bind - Home tool caches (.config, .cache, etc.) get the same treatment - User-specified allowRead paths that are symlinks are resolved and bound correctly, with a refactored bindReadPath helper - Add integration tests verifying symlinked configs and allowRead paths are accessible inside the sandbox in deny-by-default mode
- Fix gosec G306/G301: use 0600/0750 permissions in tests - Fix errcheck: use t.Cleanup instead of defer os.Remove - Fix gofumpt: remove trailing blank line - Fix test: use recognized shell config name (.inputrc) so buildDenyByDefaultMounts picks it up correctly - Add legacy mode symlink test for completeness
|
Hey, just wanted to mention that the reason I faced this issue in the first place was because I was running greywall in my HOME directory (I ran I still think there’s something to fix here, but maybe this information changes the way you do it. |
Contributor
Author
|
Thank you for comment, I'll have a look |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #25 (dotfiles part, as reported by @johanfleury)
Users who manage dotfiles with GNU Stow or similar tools have
~/.gitconfig,~/.zshrc, etc. as symlinks. In deny-by-default mode,canMountOver()rejected symlinks entirely, so these files were silently skipped and invisible inside the sandbox, causingbwrap: Can't create fileerrors..bashrc,.zshrc,.profile, etc.) that are symlinks are now resolved: the real file is bound at the symlink path via--ro-bind <resolved> <symlink-path>.config,.cache,.npm, etc.) get the same treatmentallowReadpaths that are symlinks are resolved and bound correctly, with a refactoredbindReadPathhelper to reduce duplicationTest plan
allowReadpath is readable in deny-by-default mode