5fc7eb3c11
Consolidate whitelist mode setup into add_whitelist_mode
2026-03-25 23:43:48 +01:00
960b034a80
Run integration tests serially to avoid /tmp race conditions
2026-03-25 23:43:26 +01:00
b200be9490
Add README with security model documentation
2026-03-25 23:13:16 +01:00
d79563d948
Add integration test for /dev/input/ being hidden in blacklist mode
2026-03-25 23:02:24 +01:00
167439c156
Add fish/nushell history and /tmp leaks to SENSITIVE_PATHS
2026-03-25 23:00:52 +01:00
6349709024
Add container, WM, package manager, and database sockets to SENSITIVE_PATHS
2026-03-25 22:58:12 +01:00
d3f8986b77
Sort dirs before files in resolve_overlays
...
Glob results within a SENSITIVE_PATHS entry could return files before
their parent directory. When that happens the file gets a null-bind
while its siblings remain visible, because the parent hasn't been added
to tmpfs_dirs yet. Sorting dirs first removes this implicit ordering
dependency.
2026-03-25 22:54:56 +01:00
82f84247f1
Rework handling of /run and ${RUNUSER} in blacklist mode
2026-03-25 22:48:39 +01:00
0bd91ffad2
Add /sys to whitelist mode
2026-03-25 22:22:35 +01:00
dccf2309a5
Add --new-session to bwrap invocation
2026-03-25 22:15:21 +01:00
9f82ca21ee
Add /dev/input/ to SENSITIVE_PATHS for blacklist mode
2026-03-25 22:00:32 +01:00
ada9da7ae7
Reject empty HOME envvar
2026-03-20 21:43:08 +01:00
4112288a30
Ensure passing relative paths to CLI works
2026-03-20 21:36:55 +01:00
94535b20d3
Fix blacklist bind mount order
2026-03-20 21:02:48 +01:00
826c6d5531
Add ~/.claude.json to agent paths and use --bind-try
2026-03-20 20:41:24 +01:00
50dafb4c37
Fix read-only /dev, /proc, /tmp, /var/tmp, /run in blacklist mode
2026-03-20 20:40:57 +01:00
c8e0d4813a
Use --ro-bind-try for system files in whitelist mode
2026-03-20 19:29:53 +01:00
b4b94856ac
Skip run_user overlay when runtime dir is unknown
2026-03-20 19:29:43 +01:00
9da043a70e
Remove redundant /etc/ssh/* glob entry
2026-03-20 19:29:38 +01:00
ba885b7dd6
Ensure test file is cleaned up in cwd_is_writable test case
2026-03-20 18:52:03 +01:00
bf53d92d49
Initial commit
2026-03-20 18:40:08 +01:00
