left4me

History

mwiegand 90531864b3 harden(left4me-overlay): fix idmap collision risk, gate test stubs on PRINT_ONLY, wrap os.stat Issue #1: idmap target now uses parent+name (overlays_workshop instead of workshop) to prevent basename collisions across allowlist roots; explicit die() on collision detected in the loop. Issue #2: env-var uid stubs (renamed to LEFT4ME_TEST_SANDBOX_UID etc.) are only honoured when LEFT4ME_OVERLAY_PRINT_ONLY=1, so a misconfigured systemd unit override cannot influence real uid mapping. Issue #3: os.stat(lowerdir) is wrapped in try/except OSError with a die() that shell-quotes the path and includes the exception, matching the helper's existing error style. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 23:53:32 +02:00
..
local	harden(left4me-overlay): fix idmap collision risk, gate test stubs on PRINT_ONLY, wrap os.stat	2026-05-14 23:53:32 +02:00

harden(left4me-overlay): fix idmap collision risk, gate test stubs on PRINT_ONLY, wrap os.stat

Issue #1: idmap target now uses parent+name (overlays_workshop instead of
workshop) to prevent basename collisions across allowlist roots; explicit
die() on collision detected in the loop.

Issue #2: env-var uid stubs (renamed to LEFT4ME_TEST_SANDBOX_UID etc.) are
only honoured when LEFT4ME_OVERLAY_PRINT_ONLY=1, so a misconfigured systemd
unit override cannot influence real uid mapping.

Issue #3: os.stat(lowerdir) is wrapped in try/except OSError with a die()
that shell-quotes the path and includes the exception, matching the helper's
existing error style.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-14 23:53:32 +02:00

local

harden(left4me-overlay): fix idmap collision risk, gate test stubs on PRINT_ONLY, wrap os.stat

2026-05-14 23:53:32 +02:00