Skip to content

fix: arm64 enforcement + detect accuracy#212

Merged
erans merged 4 commits intomainfrom
feat/arm64-enforcement
Apr 10, 2026
Merged

fix: arm64 enforcement + detect accuracy#212
erans merged 4 commits intomainfrom
feat/arm64-enforcement

Conversation

@erans
Copy link
Copy Markdown
Collaborator

@erans erans commented Apr 10, 2026

Summary

  • arm64 releases now ship with full seccomp/Landlock enforcement. agentsh-unixwrap and the server binary are cross-compiled for arm64 with CGO_ENABLED=1 using the existing release runner.
  • agentsh detect now reports accurate scores when the wrapper binary is missing — seccomp-notify, landlock, landlock-network, and seccomp-execve backends are marked unavailable, and a clear seccomp-wrapper: missing tip guides remediation.

Changes

Commit What
01087619 detect marks wrapper-dependent backends unavailable when agentsh-unixwrap is not on PATH; clears secCaps flags for consistent SelectMode() and flat capability map; suppresses misleading generic tips
6e6890d6 New unixwrap-linux-arm64 GoReleaser target; flips agentsh-linux-arm64 server to CGO_ENABLED=1 with cross-compiler
3478491a Adds dpkg --add-architecture arm64 + libseccomp-dev:arm64 to release CI

Test plan

  • go test ./... passes (all existing + 4 new detect tests)
  • GOOS=windows go build ./... passes (no regression)
  • arm64 cross-compilation works in CI (requires aarch64-linux-gnu-gcc + libseccomp-dev:arm64)
  • Verify agentsh detect on arm64 shows seccomp/landlock backends as available (post-fix)

🤖 Generated with Claude Code

erans and others added 4 commits April 10, 2026 12:42
@erans @claude
fix(detect): mark seccomp/landlock backends unavailable when wrapper …
0108761 
…binary missing

detect now checks for agentsh-unixwrap on PATH and marks seccomp-notify,
landlock, and seccomp-execve backends as unavailable when it's not found.
This makes the protection score reflect actual enforcement state rather
than just kernel capabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@erans
build: add arm64 unixwrap target + enable CGO for arm64 server
6e6890d 
Cross-compile agentsh-unixwrap and the server binary for arm64 with
CGO_ENABLED=1 using aarch64-linux-gnu-gcc. Both architectures now ship
with full seccomp/Landlock/signal enforcement.
@erans @claude
ci: add libseccomp-dev:arm64 for arm64 cross-compilation
3478491 
Enables multi-arch apt and installs the arm64 libseccomp headers so
GoReleaser can cross-compile agentsh-unixwrap and the server binary
for arm64 with CGO enabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@erans @claude
docs: design spec and implementation plan for arm64 enforcement fix
bad2429 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@erans erans merged commit 161c3e7 into main Apr 10, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erans