banger

thaloco/banger

Fork 0

Commit graph

Author	SHA1	Message	Date
Thales Maciel	b930c51990	runtime sockets: close the local-user race window around control-plane creation Previously the daemon socket, per-VM firecracker API socket, and vsock socket were transiently world-exposed on hosts without XDG_RUNTIME_DIR: the runtime directory landed in /tmp at 0755, Firecracker ran with umask 000 (mode 0666 sockets), and only a follow-up chown/chmod in EnsureSocketAccess tightened them. A local attacker could race into bangerd.sock or the firecracker API socket during that window. Three changes: - internal/paths/paths.go: RuntimeDir is now created (and re-chmod'd if stale) at 0700 unconditionally. When XDG_RUNTIME_DIR is unset and we fall back to /tmp/banger-runtime-<uid>, Ensure() now verifies the parent dir is owned by the current uid and 0700 mode — refusing to place sockets inside a directory someone else created. Symlink swaps rejected via Lstat. - internal/firecracker/client.go: launch firecracker with umask 077 instead of umask 000 so the API socket is mode 0600 from birth. The chown in fcproc.EnsureSocketAccess still transfers ownership from root to the invoking user afterwards. - internal/daemon/fcproc/fcproc.go: EnsureSocketDir now creates (and re-chmod's) the runtime socket directory at 0700. Tests cover the tightening path — an existing 0755 RuntimeDir is re-chmod'd on Ensure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 12:53:47 -03:00
Thales Maciel	f8979de58a	coverage: easy-wins batch across cli, system, paths, vmdns, toolingplan Pure-Go tests for formatters, layout resolution, and validators — no fixtures, no external processes. Targets previously-zero functions the triage scan flagged as low-hanging fruit. cli 55% -> 65% paths 64% -> 91% system 65% -> 75% vmdns 72% -> 86% toolingplan 73% -> 78% Total 52.6% -> 54.0%.	2026-04-18 17:57:05 -03:00

Author

SHA1

Message

Date

Thales Maciel

b930c51990

runtime sockets: close the local-user race window around control-plane creation

Previously the daemon socket, per-VM firecracker API socket, and vsock
socket were transiently world-exposed on hosts without XDG_RUNTIME_DIR:
the runtime directory landed in /tmp at 0755, Firecracker ran with
umask 000 (mode 0666 sockets), and only a follow-up chown/chmod in
EnsureSocketAccess tightened them. A local attacker could race into
bangerd.sock or the firecracker API socket during that window.

Three changes:

- internal/paths/paths.go: RuntimeDir is now created (and re-chmod'd if
  stale) at 0700 unconditionally. When XDG_RUNTIME_DIR is unset and we
  fall back to /tmp/banger-runtime-<uid>, Ensure() now verifies the
  parent dir is owned by the current uid and 0700 mode — refusing to
  place sockets inside a directory someone else created. Symlink swaps
  rejected via Lstat.

- internal/firecracker/client.go: launch firecracker with umask 077
  instead of umask 000 so the API socket is mode 0600 from birth. The
  chown in fcproc.EnsureSocketAccess still transfers ownership from
  root to the invoking user afterwards.

- internal/daemon/fcproc/fcproc.go: EnsureSocketDir now creates (and
  re-chmod's) the runtime socket directory at 0700.

Tests cover the tightening path — an existing 0755 RuntimeDir is
re-chmod'd on Ensure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-20 12:53:47 -03:00

Thales Maciel

f8979de58a

coverage: easy-wins batch across cli, system, paths, vmdns, toolingplan

Pure-Go tests for formatters, layout resolution, and validators — no
fixtures, no external processes. Targets previously-zero functions the
triage scan flagged as low-hanging fruit.

  cli          55% -> 65%
  paths        64% -> 91%
  system       65% -> 75%
  vmdns        72% -> 86%
  toolingplan  73% -> 78%

Total 52.6% -> 54.0%.

2026-04-18 17:57:05 -03:00

2 commits