maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

hst/config: negative WaitDelay bypasses default

Browse Source 
This behaviour might be useful, so do not lock it out. This change also fixes an oversight where the unchecked value is used to determine ForwardCancel.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-10 04:50:07 +09:00
parent 109aaee659
commit 776650af01
3 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/app/outcome.go
View File

@@ -81,7 +81,9 @@ func (s *outcomeState) populateEarly(k syscallDispatcher, msg message.Msg) {
s.Shim = &shimParams{PrivPID: os.Getpid(), Verbose: msg.IsVerbose()}
// enforce bounds and default early
if s.Container.WaitDelay <= 0 {
if s.Container.WaitDelay < 0 {
s.Shim.WaitDelay = 0
} else if s.Container.WaitDelay == 0 {
s.Shim.WaitDelay = hst.WaitDelayDefault
} else if s.Container.WaitDelay > hst.WaitDelayMax {
s.Shim.WaitDelay = hst.WaitDelayMax

2
internal/app/spcontainer.go
View File

@@ -65,7 +65,7 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
// the container is canceled when shim is requested to exit or receives an interrupt or termination signal;
// this behaviour is implemented in the shim
state.params.ForwardCancel = state.Container.WaitDelay >= 0
state.params.ForwardCancel = state.Shim.WaitDelay > 0
if state.Container.Multiarch {
state.params.SeccompFlags |= seccomp.AllowMultiarch