Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates

2026-05-05 09:12:36 +02:00 · 2026-03-23 16:45:40 +10:00 · 2026-03-23 16:45:40 +10:00 · 41cbfd6e0a
commit 41cbfd6e0a
parent 694e32be26
178 changed files with 36008 additions and 399 deletions
--- a/internal/infrastructure/antitamper/antitamper_unix.go
+++ b/internal/infrastructure/antitamper/antitamper_unix.go
@ -0,0 +1,47 @@
+//go:build !windows
+
+package antitamper
+
+import (
+	"os"
+	"strconv"
+	"strings"
+	"syscall"
+)
+
+// platformInit applies Linux-specific anti-tamper controls.
+func (s *Shield) platformInit() {
+	// PR_SET_DUMPABLE = 0 prevents core dumps and ptrace attachment.
+	// This is the strongest anti-debug measure on Linux without eBPF.
+	if err := syscall.Prctl(syscall.PR_SET_DUMPABLE, 0, 0, 0, 0); err != nil {
+		s.logger.Warn("anti-tamper: PR_SET_DUMPABLE failed (non-Linux?)", "error", err)
+	} else {
+		s.logger.Info("anti-tamper: PR_SET_DUMPABLE=0 (core dumps disabled)")
+	}
+
+	// PR_SET_NO_NEW_PRIVS prevents privilege escalation.
+	if err := syscall.Prctl(38 /* PR_SET_NO_NEW_PRIVS */, 1, 0, 0, 0); err != nil {
+		s.logger.Warn("anti-tamper: PR_SET_NO_NEW_PRIVS failed", "error", err)
+	} else {
+		s.logger.Info("anti-tamper: PR_SET_NO_NEW_PRIVS=1")
+	}
+}
+
+// isDebuggerAttached checks for debugger attachment on Linux.
+func (s *Shield) isDebuggerAttached() bool {
+	// Method 1: Check /proc/self/status for TracerPid.
+	data, err := os.ReadFile("/proc/self/status")
+	if err == nil {
+		for _, line := range strings.Split(string(data), "\n") {
+			if strings.HasPrefix(line, "TracerPid:") {
+				pidStr := strings.TrimSpace(strings.TrimPrefix(line, "TracerPid:"))
+				pid, _ := strconv.Atoi(pidStr)
+				if pid != 0 {
+					return true // A process is tracing us.
+				}
+			}
+		}
+	}
+
+	return false
+}