Skip to content

go.mod: bump go-microvm to v0.0.32#126

Merged
JAORMX merged 1 commit intomainfrom
jaosorior/bump-go-microvm-v0.0.32
Apr 17, 2026
Merged

go.mod: bump go-microvm to v0.0.32#126
JAORMX merged 1 commit intomainfrom
jaosorior/bump-go-microvm-v0.0.32

Conversation

@JAORMX
Copy link
Copy Markdown
Contributor

@JAORMX JAORMX commented Apr 17, 2026

Summary

Picks up the security hardening series released in
go-microvm v0.0.32.

Included upstream changes:

  • Symlink-safe rootfs hooks (authorized_keys, file, env, VM
    config). Hooks refuse symlink components planted by a
    malicious OCI layer, closing a host-write vector on the
    InjectAuthorizedKeys / InjectFile / InjectEnvFile paths
    brood-box uses in every VM.
  • OCI layer-apply whiteouts now validate each path component
    before RemoveAll / ReadDir. Tar-entry count capped at 1 M to
    bound inode exhaustion.
  • DNS interceptor filters Answer A records by CNAME bailiwick
    and caps dynamic egress-rule TTL at 5 min.
  • Firewall relay caps frame length at 65 KiB and drops non-IPv4
    non-ARP frames under deny-default.
  • Hosted gateway services ship with default HTTP timeouts
    (Slowloris-proof).
  • terminateStaleRunner refuses to signal a PID that does not
    belong to the expected runner binary.
  • Any firewall configuration (rules, non-Allow default, or
    egress policy) now auto-wires the hosted provider.
  • Extract cache dir is 0o700; each extraction records per-file
    SHA-256 and re-verifies on Ensure.

No brood-box code changes required — all hardening is wired
through interfaces brood-box already uses.

Test plan

  • task build --force rebuilds bbox against v0.0.32 runtime
  • task verify green (fmt + lint + full test suite)
  • End-to-end: bbox claude-code --no-mcp --exec /bin/bash
    boots the VM, hooks run, workspace R/W round-trip
    flushes, DNS egress allows api.anthropic.com and
    denies unknown hosts

🤖 Generated with Claude Code

@JAORMX @claude
Bump go-microvm to v0.0.32
49a4d62 
Picks up the security hardening series from
https://github.com/stacklok/go-microvm/releases/tag/v0.0.32 —
symlink-safe rootfs hooks, whiteout path re-validation during
OCI layer apply, DNS answer filtering by CNAME bailiwick, TTL
clamp on dynamic egress rules, relay frame-length cap, non-IPv4
drop under deny-default, hosted-service HTTP timeouts,
stale-runner identity guard, symmetric provider wiring, and
per-file integrity manifest on the extract cache.

No brood-box code changes required — all hardening is wired
through interfaces brood-box already uses.

Verified end-to-end: VM boots, hooks run, workspace round-trip
flushes, DNS egress allows api.anthropic.com and denies unknown
hosts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@JAORMX JAORMX merged commit d9e782c into main Apr 17, 2026
8 checks passed
@JAORMX JAORMX deleted the jaosorior/bump-go-microvm-v0.0.32 branch April 17, 2026 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JAORMX