roothelper: tighten input validation across privileged RPCs

Defence-in-depth pass over every helper method that touches the host
as root. Each fix narrows what a compromised owner-uid daemon could
ask the helper to do; many close concrete file-ownership and DoS
primitives that the previous validators didn't reach.

Path / identifier validation:
  * priv.fsck_snapshot now requires /dev/mapper/fc-rootfs-* (was
    "is the string non-empty"). e2fsck -fy on /dev/sda1 was the
    motivating exploit.
  * priv.kill_process and priv.signal_process now read
    /proc/<pid>/cmdline and require a "firecracker" substring before
    sending the signal. Killing arbitrary host PIDs (sshd, init, …)
    is no longer a one-RPC primitive.
  * priv.read_ext4_file and priv.write_ext4_files now require the
    image path to live under StateDir or be /dev/mapper/fc-rootfs-*.
  * priv.cleanup_dm_snapshot validates every non-empty Handles field:
    DM name fc-rootfs-*, DM device /dev/mapper/fc-rootfs-*, loops
    /dev/loopN.
  * priv.remove_dm_snapshot accepts only fc-rootfs-* names or
    /dev/mapper/fc-rootfs-* paths.
  * priv.ensure_nat now requires a parsable IPv4 address and a
    banger-prefixed tap.
  * priv.sync_resolver_routing and priv.clear_resolver_routing now
    require a Linux iface-name-shaped bridge name (1–15 chars, no
    whitespace/'/'/':') and, for sync, a parsable resolver address.

Symlink defence:
  * priv.ensure_socket_access now validates the socket path is under
    RuntimeDir and not a symlink. The fcproc layer's chown/chmod
    moves to unix.Open(O_PATH|O_NOFOLLOW) + Fchownat(AT_EMPTY_PATH)
    + Fchmodat via /proc/self/fd, so even a swap of the leaf into a
    symlink between validation and the syscall is refused. The
    local-priv (non-root) fallback uses `chown -h`.
  * priv.cleanup_jailer_chroot rejects symlinks at both the leaf
    (os.Lstat) and intermediate path components (filepath.EvalSymlinks
    + clean-equality). The umount sweep was rewritten from shell
    `umount --recursive --lazy` to direct unix.Unmount(MNT_DETACH |
    UMOUNT_NOFOLLOW) per child mount, deepest-first; the findmnt
    guard remains as the rm-rf safety net. Local-priv mode falls
    back to `sudo umount --lazy`.

Binary validation:
  * validateRootExecutable now opens with O_PATH|O_NOFOLLOW and
    Fstats through the resulting fd. Rejects path-level symlinks and
    narrows the TOCTOU window between validation and the SDK's exec
    to fork+exec time on a healthy host.

Daemon socket:
  * The owner daemon now reads SO_PEERCRED on every accepted
    connection and refuses any UID that isn't 0 or the registered
    owner. Filesystem perms (0600 + ownerUID) already enforced this;
    the check is belt-and-braces in case the socket FD is ever
    leaked to a non-owner process.

Docs:
  * docs/privileges.md walked end-to-end. Each helper RPC's
    Validation gate row reflects what the code actually enforces.
    New section "Running outside the system install" calls out the
    looser dev-mode trust model (NOPASSWD sudoers, helper hardening
    bypassed) so users don't deploy that path on shared hosts.
    Trust list updated to include every new validator.

Tests added: validators (DM-loop, DM-remove-target, DM-handles,
ext4-image-path, iface-name, IPv4, resolver-addr, not-symlink,
firecracker-PID, root-executable variants), the daemon's authorize
path (non-unix conn rejection + unix conn happy path), the umount2
ordering contract (deepest-first + --lazy on the sudo branch), and
positive/negative cases for the chown-no-follow fallback.

Verified end-to-end via `make smoke JOBS=4` on a KVM host.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/daemon/daemon.go

@@ -14,6 +14,8 @@ import (
 	"sync"
 	"time"
 
+	"golang.org/x/sys/unix"
+
 	"banger/internal/config"
 	ws "banger/internal/daemon/workspace"
 	"banger/internal/installmeta"
@@ -259,6 +261,13 @@ func (d *Daemon) Serve(ctx context.Context) error {
 
 func (d *Daemon) handleConn(conn net.Conn) {
 	defer conn.Close()
+	if err := d.authorizeConn(conn); err != nil {
+		if d.logger != nil {
+			d.logger.Warn("daemon connection rejected", "remote", conn.RemoteAddr().String(), "error", err.Error())
+		}
+		_ = json.NewEncoder(conn).Encode(rpc.NewError("unauthorized", err.Error()))
+		return
+	}
 	reader := bufio.NewReader(conn)
 	var req rpc.Request
 	if err := json.NewDecoder(reader).Decode(&req); err != nil {
@@ -281,6 +290,44 @@ func (d *Daemon) handleConn(conn net.Conn) {
 	}
 }
 
+// authorizeConn enforces SO_PEERCRED on the daemon socket as a
+// belt-and-braces check on top of filesystem perms (0600 + chowned to
+// the owner). Filesystem perms already prevent other host users from
+// connecting; the peer-cred read closes the door on any path that
+// might leak the socket FD to a non-owner process. Mirrors the
+// equivalent check in roothelper.authorizeConn.
+func (d *Daemon) authorizeConn(conn net.Conn) error {
+	unixConn, ok := conn.(*net.UnixConn)
+	if !ok {
+		return errors.New("daemon requires unix connections")
+	}
+	rawConn, err := unixConn.SyscallConn()
+	if err != nil {
+		return err
+	}
+	var cred *unix.Ucred
+	var controlErr error
+	if err := rawConn.Control(func(fd uintptr) {
+		cred, controlErr = unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
+	}); err != nil {
+		return err
+	}
+	if controlErr != nil {
+		return controlErr
+	}
+	if cred == nil {
+		return errors.New("missing peer credentials")
+	}
+	expected := d.clientUID
+	if expected < 0 {
+		expected = os.Getuid()
+	}
+	if int(cred.Uid) == 0 || int(cred.Uid) == expected {
+		return nil
+	}
+	return fmt.Errorf("uid %d is not allowed to use the daemon", cred.Uid)
+}
+
 func (d *Daemon) watchRequestDisconnect(conn net.Conn, reader *bufio.Reader, method string, cancel context.CancelFunc) func() {
 	if conn == nil || reader == nil {
 		return func() {}