helper/bwrap: merge Args and FDArgs

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-14 18:13:06 +09:00 · 2025-02-14 18:13:06 +09:00 · ace97952cc
commit ace97952cc
parent 73146ea7fa
4 changed files with 33 additions and 48 deletions
--- a/helper/bwrap.go
+++ b/helper/bwrap.go
@ -75,9 +75,7 @@ func NewBwrap(
 	b.name = name
 	b.helperCmd = newHelperCmd(b, BubblewrapName, wt, argF, extraFiles)
-	args := conf.Args()
+	if v, err := NewCheckedArgs(conf.Args(syncFd, b.extraFiles, &b.files)); err != nil {
 	conf.FDArgs(syncFd, &args, b.extraFiles, &b.files)
 	if v, err := NewCheckedArgs(args); err != nil {
 		return nil, err
 	} else {
 		f := proc.NewWriterTo(v)
--- a/helper/bwrap/arg.go
+++ b/helper/bwrap/arg.go
@ -23,42 +23,22 @@ type FDBuilder interface {
 }
 // Args returns a slice of bwrap args corresponding to c.
-func (c *Config) Args() (args []string) {
+func (c *Config) Args(syncFd *os.File, extraFiles *proc.ExtraFilesPre, files *[]proc.File) (args []string) {
 	builders := []Builder{
 		c.boolArgs(),
 		c.intArgs(),
 		c.stringArgs(),
 		c.pairArgs(),
 	}
 	// copy FSBuilder slice to builder slice
 	fb := make([]Builder, len(c.Filesystem)+1)
 	for i, f := range c.Filesystem {
 		fb[i] = f
 	}
 	fb[len(fb)-1] = c.Chmod
 	builders = append(builders, fb...)
 	// accumulate arg count
 	argc := 0
 	for _, b := range builders {
 		argc += b.Len()
 	}
 	args = make([]string, 0, argc)
 	for _, b := range builders {
 		b.Append(&args)
 	}
 	return
 }
 func (c *Config) FDArgs(syncFd *os.File, args *[]string, extraFiles *proc.ExtraFilesPre, files *[]proc.File) {
 	builders := []FDBuilder{
 		c.seccompArgs(),
 		newFile(positionalArgs[SyncFd], syncFd),
 	}
 	builders = slices.Grow(builders, len(c.Filesystem)+1)
 	for _, f := range c.Filesystem {
 		builders = append(builders, f)
 	}
 	builders = append(builders, c.Chmod)
 	argc := 0
 	fc := 0
 	for _, b := range builders {
@ -67,22 +47,26 @@ func (c *Config) FDArgs(syncFd *os.File, args *[]string, extraFiles *proc.ExtraF
 			continue
 		}
 		argc += l
 		fc++
-		proc.InitFile(b, extraFiles)
+		if f, ok := b.(FDBuilder); ok {
 			fc++
 			proc.InitFile(f, extraFiles)
 		}
 	}
 	fc++ // allocate extra slot for stat fd
 	*args = slices.Grow(*args, argc)
 	*files = slices.Grow(*files, fc)
 	args = make([]string, 0, argc)
 	*files = slices.Grow(*files, fc)
 	for _, b := range builders {
 		if b.Len() < 1 {
 			continue
 		}
 		b.Append(&args)
-		b.Append(args)
+		if f, ok := b.(FDBuilder); ok {
-		*files = append(*files, b)
+			*files = append(*files, f)
 		}
 	}
 	return
 }
--- a/helper/bwrap/config_test.go
+++ b/helper/bwrap/config_test.go
@ -6,9 +6,15 @@ import (
 	"testing"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/helper/seccomp"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 func TestConfig_Args(t *testing.T) {
 	seccomp.CPrintln = fmsg.Println
 	t.Cleanup(func() { seccomp.CPrintln = nil })
 	testCases := []struct {
 		name string
 		conf *bwrap.Config
@ -137,13 +143,14 @@ func TestConfig_Args(t *testing.T) {
 			},
 		},
 		{
-			name: "hostname chdir setenv unsetenv lockfile chmod",
+			name: "hostname chdir setenv unsetenv lockfile chmod syscall",
 			conf: &bwrap.Config{
 				Hostname: "fortify",
 				Chdir:    "/.fortify",
 				SetEnv:   map[string]string{"FORTIFY_INIT": "/.fortify/sbin/init"},
 				UnsetEnv: []string{"HOME", "HOST"},
 				LockFile: []string{"/.fortify/lock"},
 				Syscall:  new(bwrap.SyscallPolicy),
 				Chmod:    map[string]os.FileMode{"/.fortify/sbin/init": 0755},
 			},
 			want: []string{
@ -160,6 +167,8 @@ func TestConfig_Args(t *testing.T) {
 				"--lock-file", "/.fortify/lock",
 				// SetEnv: map[string]string{"FORTIFY_INIT": "/.fortify/sbin/init"}
 				"--setenv", "FORTIFY_INIT", "/.fortify/sbin/init",
 				// Syscall: new(bwrap.SyscallPolicy),
 				"--seccomp", "3",
 				// Chmod: map[string]os.FileMode{"/.fortify/sbin/init": 0755}
 				"--chmod", "755", "/.fortify/sbin/init",
 			},
@ -167,12 +176,7 @@ func TestConfig_Args(t *testing.T) {
 		{
 			name: "xdg-dbus-proxy constraint sample",
-			conf: (&bwrap.Config{
+			conf: (&bwrap.Config{Clearenv: true, DieWithParent: true}).
 				Unshare:       nil,
 				UserNS:        false,
 				Clearenv:      true,
 				DieWithParent: true,
 			}).
 				Symlink("usr/bin", "/bin").
 				Symlink("var/home", "/home").
 				Symlink("usr/lib", "/lib").
@ -227,7 +231,7 @@ func TestConfig_Args(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			if got := tc.conf.Args(); !slices.Equal(got, tc.want) {
+			if got := tc.conf.Args(nil, new(proc.ExtraFilesPre), new([]proc.File)); !slices.Equal(got, tc.want) {
 				t.Errorf("Args() = %#v, want %#v", got, tc.want)
 			}
 		})
--- a/helper/stub.go
+++ b/helper/stub.go
@ -155,9 +155,8 @@ func bwrapStub() {
 			DieWithParent: true,
 			AsInit:        true,
 		}
-		args := sc.Args()
+		if _, err := MustNewCheckedArgs(sc.Args(nil, new(proc.ExtraFilesPre), new([]proc.File))).
-		sc.FDArgs(nil, &args, new(proc.ExtraFilesPre), new([]proc.File))
+			WriteTo(want); err != nil {
 		if _, err := MustNewCheckedArgs(args).WriteTo(want); err != nil {
 			panic("cannot read want: " + err.Error())
 		}