feat(dynamic, eval): enhance hardening validation, CI budget tuning, and source-keyed target-dir isolation

2026-06-12 19:55:14 +02:00 · 2026-06-03 07:35:57 -05:00 · 2026-06-03 07:35:57 -05:00 · c2cd6f009e
commit c2cd6f009e
parent 2e456c15d1
12 changed files with 234 additions and 17 deletions
--- a/src/dynamic/sandbox/process_linux.rs
+++ b/src/dynamic/sandbox/process_linux.rs
@ -589,8 +589,10 @@ pub fn install_pre_exec(
 }

 fn run_pre_exec_in_child(plan: &PreExecPlan) -> HardeningOutcome {
-    let mut outcome = HardeningOutcome::default();
-    outcome.profile = plan.profile;
+    let mut outcome = HardeningOutcome {
+        profile: plan.profile,
+        ..Default::default()
+    };
    let ablation = plan.ablation.unwrap_or_default();

    // ── Always-on: PR_SET_NO_NEW_PRIVS + RLIMIT_AS ───────────────────────