left4me

cronekorkn/left4me

Fork 0

Commit graph

Author	SHA1	Message	Date
mwiegand	efaaf84cd9	docs(specs): script sandbox v2 — systemd-only design + plan Spec captures the v2 architecture (systemd-run service mode with full hardening directives, no bwrap), the two surfaces in scope (helper rewrite + bubblewrap dep removal + left4me.db mode tightening), and the gotchas surfaced by smoke-testing the prototype on ckn@10.0.4.128: - ProtectSystem=strict makes /var/lib/left4me visible (not invisible); must add TemporaryFileSystem=/var/lib to mask it. - Script bind via BindReadOnlyPaths uses ${SCRIPT}:/script.sh syntax. - No PrivatePID= directive in systemd; host PIDs visible via /proc. Information disclosure only — kernel UID-mismatch blocks signals. Plan breaks the migration into 4 tasks (helper rewrite, deploy-script deps + DB mode, host smoke-test, drift sweep) with explicit rollback. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-08 16:46:13 +02:00

Author

SHA1

Message

Date

mwiegand

efaaf84cd9

docs(specs): script sandbox v2 — systemd-only design + plan

Spec captures the v2 architecture (systemd-run service mode with full
hardening directives, no bwrap), the two surfaces in scope (helper
rewrite + bubblewrap dep removal + left4me.db mode tightening), and the
gotchas surfaced by smoke-testing the prototype on ckn@10.0.4.128:
- ProtectSystem=strict makes /var/lib/left4me visible (not invisible);
  must add TemporaryFileSystem=/var/lib to mask it.
- Script bind via BindReadOnlyPaths uses ${SCRIPT}:/script.sh syntax.
- No PrivatePID= directive in systemd; host PIDs visible via /proc.
  Information disclosure only — kernel UID-mismatch blocks signals.

Plan breaks the migration into 4 tasks (helper rewrite, deploy-script
deps + DB mode, host smoke-test, drift sweep) with explicit rollback.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-08 16:46:13 +02:00

1 commit