Address code review feedback: improve error handling and VirtualBox detection

Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-01-12 21:43:02 +00:00
parent e7fd0b698e
commit 32f989653e
3 changed files with 45 additions and 13 deletions

View File

@ -90,11 +90,23 @@ chmod 755 "$INTEGRITY_DIR"
# Generate checksums of policy files for integrity verification # Generate checksums of policy files for integrity verification
echo -e "${BLUE}Generating integrity checksums for policy files...${NC}" echo -e "${BLUE}Generating integrity checksums for policy files...${NC}"
{ {
sha256sum "$BLOCKED_DEST" 2>/dev/null || true if [[ -f "$BLOCKED_DEST" ]]; then
sha256sum "$GREYLIST_DEST" 2>/dev/null || true sha256sum "$BLOCKED_DEST" || { echo -e "${RED}Failed to checksum blocked list${NC}"; exit 1; }
sha256sum "$WHITELIST_DEST" 2>/dev/null || true fi
if [[ -f "$GREYLIST_DEST" ]]; then
sha256sum "$GREYLIST_DEST" || { echo -e "${RED}Failed to checksum greylist${NC}"; exit 1; }
fi
if [[ -f "$WHITELIST_DEST" ]]; then
sha256sum "$WHITELIST_DEST" || { echo -e "${RED}Failed to checksum whitelist${NC}"; exit 1; }
fi
} > "$INTEGRITY_FILE" } > "$INTEGRITY_FILE"
# Verify integrity file was created and has content
if [[ ! -s "$INTEGRITY_FILE" ]]; then
echo -e "${RED}Error: Integrity file was not created or is empty${NC}"
exit 1
fi
# Make integrity file immutable # Make integrity file immutable
chmod 400 "$INTEGRITY_FILE" chmod 400 "$INTEGRITY_FILE"
if command -v chattr > /dev/null 2>&1; then if command -v chattr > /dev/null 2>&1; then

View File

@ -747,12 +747,21 @@ remove_installed_greylisted_packages "$@"
# If VirtualBox was involved in this operation, enforce hosts file sharing # If VirtualBox was involved in this operation, enforce hosts file sharing
enforce_vbox_hosts_if_needed() { enforce_vbox_hosts_if_needed() {
# Only check after install operations # Only check after install operations
if [[ ${1:-} != "-S"* && ${1:-} != "-U"* ]]; then if [[ -z ${1:-} ]]; then
return 0 return 0
fi fi
# Check if VirtualBox is installed if [[ $1 != "-S"* && $1 != "-U"* ]]; then
if ! "$PACMAN_BIN" -Qq virtualbox > /dev/null 2>&1; then return 0
fi
# Check if ANY VirtualBox package is installed (use broader search)
local vbox_installed=0
if "$PACMAN_BIN" -Qq 2>/dev/null | grep -Eq '^(virtualbox|vbox)'; then
vbox_installed=1
fi
if [[ $vbox_installed -eq 0 ]]; then
return 0 return 0
fi fi
@ -771,6 +780,7 @@ enforce_vbox_hosts_if_needed() {
fi fi
if [[ -z $vbox_enforce_script ]]; then if [[ -z $vbox_enforce_script ]]; then
echo -e "${YELLOW}VirtualBox detected but enforcement script not found. Hosts file may not be enforced in VMs.${NC}" >&2
return 0 return 0
fi fi
@ -779,12 +789,20 @@ enforce_vbox_hosts_if_needed() {
return 0 return 0
fi fi
# VirtualBox is installed but enforcement not applied # VirtualBox is installed but enforcement not applied - this is critical
echo -e "${YELLOW}VirtualBox detected. Applying /etc/hosts enforcement to VMs...${NC}" >&2 echo -e "${YELLOW}VirtualBox detected. Applying /etc/hosts enforcement to VMs...${NC}" >&2
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
sudo bash "$vbox_enforce_script" enforce || echo -e "${RED}Failed to enforce hosts on VirtualBox VMs${NC}" >&2 if ! sudo bash "$vbox_enforce_script" enforce; then
echo -e "${RED}CRITICAL: Failed to enforce hosts on VirtualBox VMs!${NC}" >&2
echo -e "${RED}VMs may bypass /etc/hosts restrictions. Please run manually:${NC}" >&2
echo -e "${RED} sudo $vbox_enforce_script enforce${NC}" >&2
fi
else else
bash "$vbox_enforce_script" enforce || echo -e "${RED}Failed to enforce hosts on VirtualBox VMs${NC}" >&2 if ! bash "$vbox_enforce_script" enforce; then
echo -e "${RED}CRITICAL: Failed to enforce hosts on VirtualBox VMs!${NC}" >&2
echo -e "${RED}VMs may bypass /etc/hosts restrictions. Please run manually:${NC}" >&2
echo -e "${RED} $vbox_enforce_script enforce${NC}" >&2
fi
fi fi
} }

View File

@ -92,14 +92,16 @@ BACKUP_HOSTS_FILE="/etc/hosts.pre-vbox-sync"
# Function to check if running in VirtualBox # Function to check if running in VirtualBox
is_virtualbox() { is_virtualbox() {
if command -v dmidecode > /dev/null 2>&1; then # First try systemd-detect-virt (no root required)
if sudo dmidecode -s system-product-name 2>/dev/null | grep -qi "VirtualBox"; then if command -v systemd-detect-virt > /dev/null 2>&1; then
if systemd-detect-virt 2>/dev/null | grep -qi "oracle"; then
return 0 return 0
fi fi
fi fi
if command -v systemd-detect-virt > /dev/null 2>&1; then # Then try dmidecode (requires root, but script should already be running as root)
if systemd-detect-virt | grep -qi "oracle"; then if command -v dmidecode > /dev/null 2>&1; then
if dmidecode -s system-product-name 2>/dev/null | grep -qi "VirtualBox"; then
return 0 return 0
fi fi
fi fi