From 8d0573405a8a58a57c39b008150d75d3be2894c2 Mon Sep 17 00:00:00 2001 From: Ophestra Umiker Date: Fri, 6 Dec 2024 04:21:37 +0900 Subject: [PATCH] helper/bwrap: implement sync fd This is required by wayland security-context-v1. Signed-off-by: Ophestra Umiker --- helper/bwrap.go | 9 +++++++++ helper/bwrap/config.go | 11 ++++++++++- helper/bwrap/config.set.go | 7 +++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/helper/bwrap.go b/helper/bwrap.go index d525556..2788dbf 100644 --- a/helper/bwrap.go +++ b/helper/bwrap.go @@ -3,6 +3,7 @@ package helper import ( "errors" "io" + "os" "os/exec" "strconv" "sync" @@ -19,6 +20,8 @@ type bubblewrap struct { // bwrap pipes p *pipes + // sync pipe + sync *os.File // returns an array of arguments passed directly // to the child process spawned by bwrap argF func(argsFD, statFD int) []string @@ -72,6 +75,11 @@ func (b *bubblewrap) StartNotify(ready chan error) error { b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1") } + if b.sync != nil { + b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(3+len(b.Cmd.ExtraFiles))) + b.Cmd.ExtraFiles = append(b.Cmd.ExtraFiles, b.sync) + } + if err := b.Cmd.Start(); err != nil { return err } @@ -131,6 +139,7 @@ func NewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD, b.p = &pipes{args: args} } + b.sync = conf.Sync() b.argF = argF b.name = name if wt != nil { diff --git a/helper/bwrap/config.go b/helper/bwrap/config.go index 0aad6de..9e15a29 100644 --- a/helper/bwrap/config.go +++ b/helper/bwrap/config.go @@ -68,13 +68,16 @@ type Config struct { // (--as-pid-1) AsInit bool `json:"as_init"` + // keep this fd open while sandbox is running + // (--sync-fd FD) + sync *os.File + /* unmapped options include: --unshare-user-try Create new user namespace if possible else continue by skipping it --unshare-cgroup-try Create new cgroup namespace if possible else continue by skipping it --userns FD Use this user namespace (cannot combine with --unshare-user) --userns2 FD After setup switch to this user namespace, only useful with --userns --pidns FD Use this pid namespace (as parent namespace if using --unshare-pid) - --sync-fd FD Keep this fd open while sandbox is running --exec-label LABEL Exec label for the sandbox --file-label LABEL File label for temporary sandbox content --file FD DEST Copy from FD to destination DEST @@ -92,6 +95,12 @@ type Config struct { among which --args is used internally for passing arguments */ } +// Sync keep this fd open while sandbox is running +// (--sync-fd FD) +func (c *Config) Sync() *os.File { + return c.sync +} + type UnshareConfig struct { // (--unshare-user) // create new user namespace diff --git a/helper/bwrap/config.set.go b/helper/bwrap/config.set.go index 318ad7f..e9d3e13 100644 --- a/helper/bwrap/config.set.go +++ b/helper/bwrap/config.set.go @@ -136,3 +136,10 @@ func (c *Config) SetGID(gid int) *Config { } return c } + +// SetSync sets the sync pipe kept open while sandbox is running +// (--sync-fd FD) +func (c *Config) SetSync(s *os.File) *Config { + c.sync = s + return c +}