From 985f9442e6e027c24b8694c4b6bfd8a9b35739fd Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 26 Mar 2025 01:42:39 +0900
Subject: [PATCH] sandbox: copy symlink with magic prefix

This does not dereference the symlink, but only reads one level of it. This is useful for symlink targets that are not yet known at the time the configuration is emitted.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 sandbox/sequential.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/sandbox/sequential.go b/sandbox/sequential.go
index 60c0977..39a7525 100644
--- a/sandbox/sequential.go
+++ b/sandbox/sequential.go
@@ -8,6 +8,7 @@ import (
 	"path"
 	"path/filepath"
 	"slices"
+	"strings"
 	"syscall"
 	"unsafe"
 )
@@ -294,7 +295,21 @@ func init() { gob.Register(new(Symlink)) }
 // Symlink creates a symlink in the container filesystem.
 type Symlink [2]string
 
-func (l *Symlink) early(*Params) error { return nil }
+func (l *Symlink) early(*Params) error {
+	if strings.HasPrefix(l[0], "*") {
+		l[0] = l[0][1:]
+		if !path.IsAbs(l[0]) {
+			return msg.WrapErr(syscall.EBADE,
+				fmt.Sprintf("path %q is not absolute", l[0]))
+		}
+		if name, err := os.Readlink(l[0]); err != nil {
+			return wrapErrSelf(err)
+		} else {
+			l[0] = name
+		}
+	}
+	return nil
+}
 func (l *Symlink) apply(params *Params) error {
 	// symlink target is an arbitrary path value, so only validate link name here
 	if !path.IsAbs(l[1]) {