fix: forward signals and drop --new-session for TUI support (#15)

* fix: forward all relevant signals to sandboxed child process

Interactive/TUI apps (Claude Code, opencode) running inside greywall
could not respond to terminal resizes, and copy/paste line breaks were
broken.

Two issues were at play:

1. Only SIGINT and SIGTERM were forwarded to the child. Added SIGWINCH,
   SIGQUIT, SIGHUP, SIGUSR1, SIGUSR2.

2. bwrap --new-session called setsid(), detaching the child from the
   controlling terminal entirely. This prevented SIGWINCH delivery
   regardless of forwarding. Removed --new-session and instead block
   the TIOCSTI ioctl (terminal input injection) via the seccomp BPF
   filter, which was the security concern --new-session addressed.

Closes #13

* fix: gofumpt formatting in seccomp TIOCSTI filter

Author: tito

cmd/greywall/main.go

@@ -370,7 +370,7 @@ func runCommand(cmd *cobra.Command, args []string) error {
 	execCmd.Stderr = os.Stderr
 
 	sigChan := make(chan os.Signal, 1)
-	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP, syscall.SIGWINCH, syscall.SIGUSR1, syscall.SIGUSR2)
 
 	// Start the command (non-blocking) so we can get the PID
 	if err := execCmd.Start(); err != nil {
@@ -396,18 +396,20 @@ func runCommand(cmd *cobra.Command, args []string) error {
 	}
 
 	go func() {
-		sigCount := 0
+		termCount := 0
 		for sig := range sigChan {
-			sigCount++
 			if execCmd.Process == nil {
 				continue
 			}
-			// First signal: graceful termination; second signal: force kill
-			if sigCount >= 2 {
-				_ = execCmd.Process.Kill()
-			} else {
-				_ = execCmd.Process.Signal(sig)
+			// For termination signals, force kill on the second attempt
+			if sig == syscall.SIGINT || sig == syscall.SIGTERM {
+				termCount++
+				if termCount >= 2 {
+					_ = execCmd.Process.Kill()
+					continue
+				}
 			}
+			_ = execCmd.Process.Signal(sig)
 		}
 	}()
 

internal/sandbox/linux.go

@@ -626,13 +626,12 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
 	bwrapArgs := []string{
 		"bwrap",
 	}
-	// --new-session calls setsid() which detaches from the controlling terminal.
-	// Skip it in learning mode so interactive programs (TUIs, prompts) can
-	// read from /dev/tty. Learning mode already relaxes security constraints
-	// (no seccomp, no landlock), so skipping new-session is acceptable.
-	if !opts.Learning {
-		bwrapArgs = append(bwrapArgs, "--new-session")
-	}
+	// NOTE: We intentionally do NOT use --new-session here.
+	// --new-session calls setsid() which detaches from the controlling terminal,
+	// breaking SIGWINCH delivery and making all interactive/TUI apps (Claude Code,
+	// opencode, etc.) unable to respond to terminal resizes.
+	// The TIOCSTI attack vector (terminal input injection) that --new-session
+	// mitigates is instead blocked by our seccomp filter (see linux_seccomp.go).
 	bwrapArgs = append(bwrapArgs, "--die-with-parent")
 
 	// Always use --unshare-net when available (network namespace isolation)

internal/sandbox/linux_seccomp.go

@@ -20,6 +20,11 @@ func NewSeccompFilter(debug bool) *SeccompFilter {
 	return &SeccompFilter{debug: debug}
 }
 
+// TIOCSTI is the ioctl command for terminal input injection.
+// Blocking this via seccomp replaces the need for bwrap --new-session,
+// which broke SIGWINCH delivery to interactive/TUI applications.
+const TIOCSTI = 0x5412
+
 // DangerousSyscalls lists syscalls that should be blocked for security.
 var DangerousSyscalls = []string{
 	"ptrace",            // Process debugging/injection
@@ -144,6 +149,50 @@ func (s *SeccompFilter) writeBPFProgram(path string) error {
 		})
 	}
 
+	// Block ioctl(fd, TIOCSTI, ...) to prevent terminal input injection.
+	// This replaces bwrap --new-session which broke SIGWINCH for TUI apps.
+	//
+	// seccomp_data layout (all fields are u32 on both x86_64 and aarch64):
+	//   offset 0:  nr (syscall number)
+	//   offset 4:  arch
+	//   offset 8:  instruction_pointer (low 32 bits)
+	//   offset 12: instruction_pointer (high 32 bits)
+	//   offset 16: args[0] (low 32 bits) - fd
+	//   offset 20: args[0] (high 32 bits)
+	//   offset 24: args[1] (low 32 bits) - ioctl command
+	//   offset 28: args[1] (high 32 bits)
+	if ioctlNum, ok := getSyscallNumber("ioctl"); ok {
+		// Reload syscall number (previous jumps may have changed accumulator)
+		program = append(program, bpfInstruction{
+			code: BPF_LD | BPF_W | BPF_ABS,
+			k:    0, // offsetof(seccomp_data, nr)
+		})
+		// if syscall != ioctl, skip 3 instructions (to default allow)
+		program = append(program, bpfInstruction{
+			code: BPF_JMP | BPF_JEQ | BPF_K,
+			jt:   0,                // match: continue to arg check
+			jf:   3,                // no match: skip to default allow
+			k:    uint32(ioctlNum), //nolint:gosec // syscall number fits in uint32
+		})
+		// Load ioctl command argument (args[1], low 32 bits at offset 24)
+		program = append(program, bpfInstruction{
+			code: BPF_LD | BPF_W | BPF_ABS,
+			k:    24, // offsetof(seccomp_data, args[1])
+		})
+		// if ioctl command == TIOCSTI, block it
+		program = append(program, bpfInstruction{
+			code: BPF_JMP | BPF_JEQ | BPF_K,
+			jt:   0, // match: block
+			jf:   1, // no match: allow
+			k:    TIOCSTI,
+		})
+		// Block with EPERM
+		program = append(program, bpfInstruction{
+			code: BPF_RET | BPF_K,
+			k:    uint32(action),
+		})
+	}
+
 	// Default: allow
 	program = append(program, bpfInstruction{
 		code: BPF_RET | BPF_K,
@@ -263,6 +312,7 @@ func getSyscallNumber(name string) (int, bool) {
 			"finit_module":      273,
 			"delete_module":     106,
 			// ioperm and iopl don't exist on ARM64
+			"ioctl": 29,
 		}
 	} else {
 		// x86_64 syscall numbers
@@ -294,6 +344,7 @@ func getSyscallNumber(name string) (int, bool) {
 			"delete_module":     176,
 			"ioperm":            173,
 			"iopl":              172,
+			"ioctl":             16,
 		}
 	}