tangled.org / core
Monorepo for Tangled tangled.org
2
Fork 66

Configure Feed

Select the types of activity you want to include in your feed.

guard: add secure-mode sandboxing for SSH git operations

author
Anirudh Oppiliappan committer
Tangled date (Jun 12, 2026, 12:22 PM +0300) commit b33f1326 parent 388e28a4 change-id uqrvxywv
+28
+28
guard/guard.go
··· 11 11 "os" 12 12 "os/exec" 13 13 "strings" 14 + "syscall" 14 15 15 16 securejoin "github.com/cyphar/filepath-securejoin" 16 17 "github.com/urfave/cli/v3" 18 + "tangled.org/core/knotserver/sandbox" 17 19 "tangled.org/core/log" 18 20 ) 19 21 ··· 48 50 Usage: "path to message of the day file", 49 51 Value: "/home/git/motd", 50 52 }, 53 + &cli.BoolFlag{ 54 + Name: "secure-mode", 55 + Usage: "isolate git subprocesses to their own repository directory", 56 + }, 51 57 }, 52 58 } 53 59 } ··· 60 66 logPath := cmd.String("log-path") 61 67 endpoint := cmd.String("internal-api") 62 68 motdFile := cmd.String("motd-file") 69 + secureMode := cmd.Bool("secure-mode") 63 70 64 71 logFile, err := os.OpenFile(logPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) 65 72 if err != nil { ··· 157 164 gitCmd.Env = append(os.Environ(), 158 165 fmt.Sprintf("GIT_USER_DID=%s", incomingUser), 159 166 ) 167 + 168 + if secureMode { 169 + sb, warn := sandbox.New(func(repoPath string) (uint32, uint32, error) { 170 + return sandbox.LookupUIDForRepoPath(gitDir, repoPath) 171 + }) 172 + if warn != "" { 173 + l.Warn("secure-mode: sandbox degraded", "reason", warn) 174 + } else { 175 + l.Info("secure-mode: wrapping git command", "backend", sb.Name()) 176 + } 177 + wrapped, wrapErr := sb.Wrap(fullPath, gitCmd) 178 + if wrapErr != nil { 179 + l.Error("sandbox wrap failed", "error", wrapErr) 180 + } else { 181 + gitCmd = wrapped 182 + } 183 + } 184 + 185 + if gitCmd.SysProcAttr == nil { 186 + gitCmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true} 187 + } 160 188 161 189 if err := gitCmd.Run(); err != nil { 162 190 l.Error("command failed", "error", err)