helper/bwrap: implement sync fd

This is required by wayland security-context-v1. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-06 04:21:37 +09:00 · 2024-12-06 04:21:37 +09:00 · 8d0573405a
commit 8d0573405a
parent 38e92edb8e
3 changed files with 26 additions and 1 deletions
--- a/helper/bwrap.go
+++ b/helper/bwrap.go
@ -3,6 +3,7 @@ package helper
 import (
 	"errors"
 	"io"
+	"os"
 	"os/exec"
 	"strconv"
 	"sync"
@ -19,6 +20,8 @@ type bubblewrap struct {

 	// bwrap pipes
 	p *pipes
+	// sync pipe
+	sync *os.File
 	// returns an array of arguments passed directly
 	// to the child process spawned by bwrap
 	argF func(argsFD, statFD int) []string
@ -72,6 +75,11 @@ func (b *bubblewrap) StartNotify(ready chan error) error {
 		b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1")
 	}

+	if b.sync != nil {
+		b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(3+len(b.Cmd.ExtraFiles)))
+		b.Cmd.ExtraFiles = append(b.Cmd.ExtraFiles, b.sync)
+	}
+
 	if err := b.Cmd.Start(); err != nil {
 		return err
 	}
@ -131,6 +139,7 @@ func NewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD,
 		b.p = &pipes{args: args}
 	}

+	b.sync = conf.Sync()
 	b.argF = argF
 	b.name = name
 	if wt != nil {
--- a/helper/bwrap/config.go
+++ b/helper/bwrap/config.go
@ -68,13 +68,16 @@ type Config struct {
 	// (--as-pid-1)
 	AsInit bool `json:"as_init"`

+	// keep this fd open while sandbox is running
+	// (--sync-fd FD)
+	sync *os.File
+
 	/* unmapped options include:
 	    --unshare-user-try           Create new user namespace if possible else continue by skipping it
 	    --unshare-cgroup-try         Create new cgroup namespace if possible else continue by skipping it
 	    --userns FD                  Use this user namespace (cannot combine with --unshare-user)
 	    --userns2 FD                 After setup switch to this user namespace, only useful with --userns
 	    --pidns FD                   Use this pid namespace (as parent namespace if using --unshare-pid)
-		--sync-fd FD                 Keep this fd open while sandbox is running
 	    --exec-label LABEL           Exec label for the sandbox
 	    --file-label LABEL           File label for temporary sandbox content
 	    --file FD DEST               Copy from FD to destination DEST
@ -92,6 +95,12 @@ type Config struct {
 	among which --args is used internally for passing arguments */
 }

+// Sync keep this fd open while sandbox is running
+// (--sync-fd FD)
+func (c *Config) Sync() *os.File {
+	return c.sync
+}
+
 type UnshareConfig struct {
 	// (--unshare-user)
 	// create new user namespace
--- a/helper/bwrap/config.set.go
+++ b/helper/bwrap/config.set.go
@ -136,3 +136,10 @@ func (c *Config) SetGID(gid int) *Config {
 	}
 	return c
 }
+
+// SetSync sets the sync pipe kept open while sandbox is running
+// (--sync-fd FD)
+func (c *Config) SetSync(s *os.File) *Config {
+	c.sync = s
+	return c
+}