helper/bwrap: move sync to helper state

Signed-off-by: Ophestra <cat@gensokyo.uk>

helper/bwrap.go

@@ -21,7 +21,8 @@ type bubblewrap struct {
 
 	// bwrap pipes
 	control *pipes
-	// sync pipe
+	// keep this fd open while sandbox is running
+	// (--sync-fd FD)
 	sync *os.File
 	// returns an array of arguments passed directly
 	// to the child process spawned by bwrap
@@ -119,8 +120,12 @@ func (b *bubblewrap) Unwrap() *exec.Cmd {
 // MustNewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
 // If wt is nil, the child process spawned by bwrap will not get an argument pipe.
 // Function argF returns an array of arguments passed directly to the child process.
-func MustNewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) Helper {
-	b, err := NewBwrap(conf, wt, name, argF)
+func MustNewBwrap(
+	conf *bwrap.Config, name string,
+	wt io.WriterTo, argF func(argsFD, statFD int) []string,
+	syncFd *os.File,
+) Helper {
+	b, err := NewBwrap(conf, name, wt, argF, syncFd)
 	if err != nil {
 		panic(err.Error())
 	} else {
@@ -131,7 +136,11 @@ func MustNewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(arg
 // NewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
 // If wt is nil, the child process spawned by bwrap will not get an argument pipe.
 // Function argF returns an array of arguments passed directly to the child process.
-func NewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) (Helper, error) {
+func NewBwrap(
+	conf *bwrap.Config, name string,
+	wt io.WriterTo, argF func(argsFD, statFD int) []string,
+	syncFd *os.File,
+) (Helper, error) {
 	b := new(bubblewrap)
 
 	if args, err := NewCheckedArgs(conf.Args()); err != nil {
@@ -140,7 +149,7 @@ func NewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD,
 		b.control = &pipes{args: args}
 	}
 
-	b.sync = conf.Sync()
+	b.sync = syncFd
 	b.argF = argF
 	b.name = name
 	if wt != nil {

helper/bwrap/builder.go

@@ -161,10 +161,3 @@ func (c *Config) SetGID(gid int) *Config {
 	}
 	return c
 }
-
-// SetSync sets the sync pipe kept open while sandbox is running
-// (--sync-fd FD)
-func (c *Config) SetSync(s *os.File) *Config {
-	c.sync = s
-	return c
-}

helper/bwrap/config.go

@@ -1,9 +1,5 @@
 package bwrap
 
-import (
-	"os"
-)
-
 type Config struct {
 	// unshare every namespace we support by default if nil
 	// (--unshare-all)
@@ -61,10 +57,6 @@ type Config struct {
 	// (--as-pid-1)
 	AsInit bool `json:"as_init"`
 
-	// keep this fd open while sandbox is running
-	// (--sync-fd FD)
-	sync *os.File
-
 	/* unmapped options include:
 	    --unshare-user-try           Create new user namespace if possible else continue by skipping it
 	    --unshare-cgroup-try         Create new cgroup namespace if possible else continue by skipping it
@@ -90,12 +82,6 @@ type Config struct {
 	among which --args is used internally for passing arguments */
 }
 
-// Sync keep this fd open while sandbox is running
-// (--sync-fd FD)
-func (c *Config) Sync() *os.File {
-	return c.sync
-}
-
 type UnshareConfig struct {
 	// (--unshare-user)
 	// create new user namespace

helper/bwrap/config_test.go

@@ -126,8 +126,7 @@ func TestConfig_Args(t *testing.T) {
 			name: "uid gid sync",
 			conf: (new(bwrap.Config)).
 				SetUID(1971).
-				SetGID(100).
-				SetSync(os.Stdin),
+				SetGID(100),
 			want: []string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
@@ -135,8 +134,6 @@ func TestConfig_Args(t *testing.T) {
 				"--uid", "1971",
 				// SetGID(100)
 				"--gid", "100",
-				// SetSync(os.Stdin)
-				// this is set when the process is created
 			},
 		},
 		{
@@ -246,10 +243,4 @@ func TestConfig_Args(t *testing.T) {
 		}()
 		(new(bwrap.Config)).Persist("/run", "", "")
 	})
-
-	t.Run("sync file", func(t *testing.T) {
-		if s := (new(bwrap.Config)).SetSync(os.Stdout).Sync(); s != os.Stdout {
-			t.Errorf("Sync() = %v", s)
-		}
-	})
 }

helper/bwrap_test.go

@@ -31,7 +31,11 @@ func TestBwrap(t *testing.T) {
 			helper.BubblewrapName = bubblewrapName
 		})
 
-		h := helper.MustNewBwrap(sc, argsWt, "fortify", argF)
+		h := helper.MustNewBwrap(
+			sc, "fortify",
+			argsWt, argF,
+			nil,
+		)
 
 		if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
 			t.Errorf("Start() error = %v, wantErr %v",
@@ -40,7 +44,11 @@ func TestBwrap(t *testing.T) {
 	})
 
 	t.Run("valid new helper nil check", func(t *testing.T) {
-		if got := helper.MustNewBwrap(sc, argsWt, "fortify", argF); got == nil {
+		if got := helper.MustNewBwrap(
+			sc, "fortify",
+			argsWt, argF,
+			nil,
+		); got == nil {
 			t.Errorf("MustNewBwrap(%#v, %#v, %#v) got nil",
 				sc, argsWt, "fortify")
 			return
@@ -56,7 +64,11 @@ func TestBwrap(t *testing.T) {
 			}
 		}()
 
-		helper.MustNewBwrap(&bwrap.Config{Hostname: "\x00"}, nil, "fortify", argF)
+		helper.MustNewBwrap(
+			&bwrap.Config{Hostname: "\x00"}, "fortify",
+			nil, argF,
+			nil,
+		)
 	})
 
 	t.Run("start notify without pipes panic", func(t *testing.T) {
@@ -69,13 +81,21 @@ func TestBwrap(t *testing.T) {
 		}()
 
 		panic(fmt.Sprintf("unreachable: %v",
-			helper.MustNewBwrap(sc, nil, "fortify", argF).StartNotify(make(chan error))))
+			helper.MustNewBwrap(
+				sc, "fortify",
+				nil, argF,
+				nil,
+			).StartNotify(make(chan error))))
 	})
 
 	t.Run("start without pipes", func(t *testing.T) {
 		helper.InternalReplaceExecCommand(t)
 
-		h := helper.MustNewBwrap(sc, nil, "crash-test-dummy", argFChecked)
+		h := helper.MustNewBwrap(
+			sc, "crash-test-dummy",
+			nil, argFChecked,
+			nil,
+		)
 		cmd := h.Unwrap()
 
 		stdout, stderr := new(strings.Builder), new(strings.Builder)
@@ -107,6 +127,6 @@ func TestBwrap(t *testing.T) {
 	})
 
 	t.Run("implementation compliance", func(t *testing.T) {
-		testHelper(t, func() helper.Helper { return helper.MustNewBwrap(sc, argsWt, "crash-test-dummy", argF) })
+		testHelper(t, func() helper.Helper { return helper.MustNewBwrap(sc, "crash-test-dummy", argsWt, argF, nil) })
 	})
 }