security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

helper/bwrap: move sync to helper state
All checks were successful
Build / Create distribution (push) Successful in 1m25s
Details
Test / Run NixOS test (push) Successful in 3m33s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-01-19 18:38:13 +09:00
parent cae567c109
commit 2f70506865
10 changed files with 76 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
helper/bwrap/builder.go
View File

@@ -161,10 +161,3 @@ func (c *Config) SetGID(gid int) *Config {
}
return c
}
// SetSync sets the sync pipe kept open while sandbox is running
// (--sync-fd FD)
func (c *Config) SetSync(s *os.File) *Config {
c.sync = s
return c
}

14
helper/bwrap/config.go
View File

@@ -1,9 +1,5 @@
package bwrap
import (
"os"
)
type Config struct {
// unshare every namespace we support by default if nil
// (--unshare-all)
@@ -61,10 +57,6 @@ type Config struct {
// (--as-pid-1)
AsInit bool `json:"as_init"`
// keep this fd open while sandbox is running
// (--sync-fd FD)
sync *os.File
/* unmapped options include:
--unshare-user-try Create new user namespace if possible else continue by skipping it
--unshare-cgroup-try Create new cgroup namespace if possible else continue by skipping it
@@ -90,12 +82,6 @@ type Config struct {
among which --args is used internally for passing arguments */
}
// Sync keep this fd open while sandbox is running
// (--sync-fd FD)
func (c *Config) Sync() *os.File {
return c.sync
}
type UnshareConfig struct {
// (--unshare-user)
// create new user namespace

11
helper/bwrap/config_test.go
View File

@@ -126,8 +126,7 @@ func TestConfig_Args(t *testing.T) {
name: "uid gid sync",
conf: (new(bwrap.Config)).
SetUID(1971).
SetGID(100).
SetSync(os.Stdin),
SetGID(100),
want: []string{
"--unshare-all", "--unshare-user",
"--disable-userns", "--assert-userns-disabled",
@@ -135,8 +134,6 @@ func TestConfig_Args(t *testing.T) {
"--uid", "1971",
// SetGID(100)
"--gid", "100",
// SetSync(os.Stdin)
// this is set when the process is created
},
},
{
@@ -246,10 +243,4 @@ func TestConfig_Args(t *testing.T) {
}()
(new(bwrap.Config)).Persist("/run", "", "")
})
t.Run("sync file", func(t *testing.T) {
if s := (new(bwrap.Config)).SetSync(os.Stdout).Sync(); s != os.Stdout {
t.Errorf("Sync() = %v", s)
}
})
}