From 776650af01d56d1c38861420de7f4a077f0a61f8 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Fri, 10 Oct 2025 04:50:07 +0900
Subject: [PATCH] hst/config: negative WaitDelay bypasses default

This behaviour might be useful, so do not lock it out. This change also fixes an oversight where the unchecked value is used to determine ForwardCancel.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 hst/config.go               | 4 ++--
 internal/app/outcome.go     | 4 +++-
 internal/app/spcontainer.go | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/hst/config.go b/hst/config.go
index 9f4ee2f7..a0843aeb 100644
--- a/hst/config.go
+++ b/hst/config.go
@@ -67,8 +67,8 @@ type (
 		Hostname string `json:"hostname,omitempty"`
 
 		// Duration in nanoseconds to wait for after interrupting the initial process.
-		// Defaults to [WaitDelayDefault] if less than or equals to zero,
-		// or [WaitDelayMax] if greater than [WaitDelayMax].
+		// Defaults to [WaitDelayDefault] if zero, or [WaitDelayMax] if greater than [WaitDelayMax].
+		// Values lesser than zero is equivalent to zero, bypassing [WaitDelayDefault].
 		WaitDelay time.Duration `json:"wait_delay,omitempty"`
 
 		// Emit Flatpak-compatible seccomp filter programs.
diff --git a/internal/app/outcome.go b/internal/app/outcome.go
index 84a4bae3..0999ae91 100644
--- a/internal/app/outcome.go
+++ b/internal/app/outcome.go
@@ -81,7 +81,9 @@ func (s *outcomeState) populateEarly(k syscallDispatcher, msg message.Msg) {
 	s.Shim = &shimParams{PrivPID: os.Getpid(), Verbose: msg.IsVerbose()}
 
 	// enforce bounds and default early
-	if s.Container.WaitDelay <= 0 {
+	if s.Container.WaitDelay < 0 {
+		s.Shim.WaitDelay = 0
+	} else if s.Container.WaitDelay == 0 {
 		s.Shim.WaitDelay = hst.WaitDelayDefault
 	} else if s.Container.WaitDelay > hst.WaitDelayMax {
 		s.Shim.WaitDelay = hst.WaitDelayMax
diff --git a/internal/app/spcontainer.go b/internal/app/spcontainer.go
index b6378312..3426e7ea 100644
--- a/internal/app/spcontainer.go
+++ b/internal/app/spcontainer.go
@@ -65,7 +65,7 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
 
 	// the container is canceled when shim is requested to exit or receives an interrupt or termination signal;
 	// this behaviour is implemented in the shim
-	state.params.ForwardCancel = state.Container.WaitDelay >= 0
+	state.params.ForwardCancel = state.Shim.WaitDelay > 0
 
 	if state.Container.Multiarch {
 		state.params.SeccompFlags |= seccomp.AllowMultiarch