8958f79ece
Document and expand test coverage of config file feature
2026-04-04 08:51:08 +02:00
db60fb9ddb
Reject unknown config keys
2026-04-01 23:51:47 +02:00
c7c4c673cb
Add mask option to hide paths/files from sandbox
2026-04-01 23:19:08 +02:00
0119834d5a
Implement config file parsing and precedence with CLI
2026-03-31 01:22:08 +02:00
f1d7a14b8d
Ensure root filesystem is always read-only inside sandbox
...
Whitelist mode's implicit bwrap root was a writable tmpfs, letting the
sandboxed process create files and directories anywhere not covered by
an explicit ro mount. This was not an issue in blacklist mode due to
--ro-bind / / covering that case.
This patch adds --remount-ro / before any other mount to make the base
layer read-only in both modes.
2026-03-29 16:50:59 +02:00
99f9395c10
Move require_run_user to lib.rs and make blacklist module private
2026-03-25 23:54:35 +01:00
d79563d948
Add integration test for /dev/input/ being hidden in blacklist mode
2026-03-25 23:02:24 +01:00
82f84247f1
Rework handling of /run and ${RUNUSER} in blacklist mode
2026-03-25 22:48:39 +01:00
0bd91ffad2
Add /sys to whitelist mode
2026-03-25 22:22:35 +01:00
dccf2309a5
Add --new-session to bwrap invocation
2026-03-25 22:15:21 +01:00
ada9da7ae7
Reject empty HOME envvar
2026-03-20 21:43:08 +01:00
4112288a30
Ensure passing relative paths to CLI works
2026-03-20 21:36:55 +01:00
94535b20d3
Fix blacklist bind mount order
2026-03-20 21:02:48 +01:00
ba885b7dd6
Ensure test file is cleaned up in cwd_is_writable test case
2026-03-20 18:52:03 +01:00
bf53d92d49
Initial commit
2026-03-20 18:40:08 +01:00
