roothelper: pin bridge name + IP + CIDR to a banger-managed shape

priv.ensure_bridge / priv.create_tap accepted the daemon's network
config triple (BridgeName, BridgeIP, CIDR) and forwarded it straight
to `ip link` / `ip addr` / `ip link set master`. Argv-style exec
ruled out shell injection, but the kernel happily honours those
commands against any iface a compromised owner-uid daemon names —
including eth0/docker0/lo. Concretely:

  * priv.ensure_bridge could `ip link set <iface> up` against any
    host interface and `ip addr add` arbitrary IP/CIDR to it.
  * priv.create_tap could `ip link set <new-tap> master <iface>`,
    bridging the per-VM tap into the host's primary LAN so the
    guest sees host-local broadcast traffic.
  * priv.sync_resolver_routing / priv.clear_resolver_routing only
    enforced "name shaped like a Linux iface" — no banger constraint.

New validators (single chokepoint via validateNetworkConfig):
  * validateBangerBridgeName: name must equal "br-fc" or start with
    "br-fc-". Stops a compromised daemon from naming any host iface
    in these RPCs. Users with a custom bridge keep the prefix.
  * validateCIDRPrefix: numeric in [8, 32]. Wider prefixes would
    silently widen the bridge subnet beyond what the daemon intends.
  * validateNetworkConfig bundles bridge-name + validateIPv4 +
    validateCIDRPrefix so every helper RPC that takes the triple
    stays in lockstep.

Wired into methodEnsureBridge, methodCreateTap, and the resolver-
routing pair (replacing the older validateLinuxIfaceName-only check
with the stricter banger-bridge check).

docs/privileges.md updated: the helper-RPC table rows now spell out
the banger-managed bridge constraint, and the trust list includes
the new validators.

Tests: TestValidateBangerBridgeName (default + suffixed accepted,
host ifaces / wrong prefix / oversized rejected), TestValidate
CIDRPrefix (boundary + non-numeric + IPv6-style 64 rejected),
TestValidateNetworkConfig (happy path + each-field-bad cases).
Smoke at JOBS=4 still green — banger's defaults sail through the
new gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/roothelper/roothelper.go

@@ -436,6 +436,13 @@ func (s *Server) dispatch(ctx context.Context, req rpc.Request) rpc.Response {
 		if err != nil {
 			return rpc.NewError("bad_params", err.Error())
 		}
+		// Without these the helper would happily run `ip link add`
+		// against arbitrary names, `ip addr add` with arbitrary
+		// IP/CIDR, and `ip link set <NAME> up` against any host
+		// iface a compromised daemon might pick.
+		if err := validateNetworkConfig(params); err != nil {
+			return rpc.NewError("bad_params", err.Error())
+		}
 		return marshalResultOrError(struct{}{}, s.ensureBridge(ctx, params))
 	case methodCreateTap:
 		params, err := rpc.DecodeParams[struct {
@@ -445,6 +452,12 @@ func (s *Server) dispatch(ctx context.Context, req rpc.Request) rpc.Response {
 		if err != nil {
 			return rpc.NewError("bad_params", err.Error())
 		}
+		// Pin both the bridge config (so the new TAP can't be
+		// attached to e.g. eth0 via `ip link set <tap> master`) and
+		// the tap name itself.
+		if err := validateNetworkConfig(params.NetworkConfig); err != nil {
+			return rpc.NewError("bad_params", err.Error())
+		}
 		return marshalResultOrError(struct{}{}, s.createTap(ctx, params.NetworkConfig, params.TapName))
 	case methodDeleteTap:
 		params, err := rpc.DecodeParams[struct {
@@ -463,11 +476,13 @@ func (s *Server) dispatch(ctx context.Context, req rpc.Request) rpc.Response {
 			return rpc.NewError("bad_params", err.Error())
 		}
 		// syncResolverRouting short-circuits on empty input; only
-		// validate when actually doing something. This stops a
-		// compromised daemon from flapping arbitrary system-managed
-		// links via resolvectl.
+		// validate when actually doing something. validateBanger
+		// BridgeName is stricter than the previous validateLinux
+		// IfaceName: it stops a compromised daemon from pointing
+		// resolvectl at any host interface, not just refusing
+		// obviously-malformed names.
 		if strings.TrimSpace(params.BridgeName) != "" || strings.TrimSpace(params.ServerAddr) != "" {
-			if err := validateLinuxIfaceName(params.BridgeName); err != nil {
+			if err := validateBangerBridgeName(params.BridgeName); err != nil {
 				return rpc.NewError("bad_params", err.Error())
 			}
 			if err := validateResolverAddr(params.ServerAddr); err != nil {
@@ -483,7 +498,7 @@ func (s *Server) dispatch(ctx context.Context, req rpc.Request) rpc.Response {
 			return rpc.NewError("bad_params", err.Error())
 		}
 		if strings.TrimSpace(params.BridgeName) != "" {
-			if err := validateLinuxIfaceName(params.BridgeName); err != nil {
+			if err := validateBangerBridgeName(params.BridgeName); err != nil {
 				return rpc.NewError("bad_params", err.Error())
 			}
 		}
@@ -1105,6 +1120,75 @@ func (s *Server) validateExt4ImagePath(path string) error {
 	return fmt.Errorf("path %q is not a banger-managed ext4 image", path)
 }
 
+// bangerBridgeNamePrefix pins the only iface-name shape the helper
+// will mutate via priv.ensure_bridge / priv.create_tap / the resolver
+// routing RPCs. Anything that doesn't match — host primary interfaces
+// like eth0/wlan0/lo, foreign managed bridges like docker0/virbr0,
+// arbitrary attacker-chosen names — is refused outright. Banger's
+// daemon-config default for BridgeName is "br-fc"; users wanting a
+// different name must keep the "br-fc-" prefix so the helper can
+// recognise it as banger-managed.
+const bangerBridgeNamePrefix = "br-fc"
+
+// validateBangerBridgeName enforces the banger naming convention on
+// any bridge name a helper RPC mutates. Without this, a compromised
+// owner-uid daemon could ask the helper (which runs with
+// CAP_NET_ADMIN) to bring up arbitrary host interfaces, attach
+// per-VM taps to other users' bridges, or flap the host's primary
+// iface — argv-style exec rules out shell injection but the kernel
+// happily honours these requests against any iface the caller
+// names.
+func validateBangerBridgeName(name string) error {
+	if err := validateLinuxIfaceName(name); err != nil {
+		return err
+	}
+	trimmed := strings.TrimSpace(name)
+	if trimmed == bangerBridgeNamePrefix {
+		return nil
+	}
+	if strings.HasPrefix(trimmed, bangerBridgeNamePrefix+"-") {
+		return nil
+	}
+	return fmt.Errorf("bridge name %q is not banger-managed (must equal %q or start with %q)", name, bangerBridgeNamePrefix, bangerBridgeNamePrefix+"-")
+}
+
+// validateCIDRPrefix accepts a numeric IPv4 prefix length in [8, 32].
+// fcproc.EnsureBridge concatenates BridgeIP + "/" + CIDR into the
+// `ip addr add` argument, so anything that doesn't parse as a small
+// integer in that range either errors out (helpful) or, worse,
+// silently widens the bridge subnet beyond what the daemon intends.
+func validateCIDRPrefix(s string) error {
+	trimmed := strings.TrimSpace(s)
+	if trimmed == "" {
+		return errors.New("cidr prefix is required")
+	}
+	n, err := strconv.Atoi(trimmed)
+	if err != nil {
+		return fmt.Errorf("cidr prefix %q is not numeric", s)
+	}
+	if n < 8 || n > 32 {
+		return fmt.Errorf("cidr prefix %d is outside [8, 32]", n)
+	}
+	return nil
+}
+
+// validateNetworkConfig is the single chokepoint for every helper RPC
+// that takes a bridge name + IP + CIDR triple. Bundling the checks
+// here keeps every caller in lockstep on what counts as a
+// well-formed banger network config.
+func validateNetworkConfig(cfg NetworkConfig) error {
+	if err := validateBangerBridgeName(cfg.BridgeName); err != nil {
+		return err
+	}
+	if err := validateIPv4(cfg.BridgeIP); err != nil {
+		return fmt.Errorf("bridge ip: %w", err)
+	}
+	if err := validateCIDRPrefix(cfg.CIDR); err != nil {
+		return fmt.Errorf("bridge cidr: %w", err)
+	}
+	return nil
+}
+
 // validateLoopDevicePath confirms path is `/dev/loopN` for some N≥0.
 // dmsnap.Cleanup detaches loops via `losetup -d <path>`; without this
 // a compromised daemon could ask the helper to detach an arbitrary