helper/bwrap: move sync to helper state

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/app/start.go

@@ -45,32 +45,19 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
 		}
 	}
 
-	a.shim = new(shim.Shim)
-	// keep a reference to shim payload for sync fd
-	payload := &shim.Payload{
-		Argv:  a.seal.command,
-		Exec:  shimExec,
-		Bwrap: a.seal.sys.bwrap,
-		Home:  a.seal.sys.user.data,
-
-		Verbose: fmsg.Verbose(),
-	}
-
 	// startup will go ahead, commit system setup
 	if err := a.seal.sys.Commit(); err != nil {
 		return err
 	}
 	a.seal.sys.needRevert = true
 
-	// export sync pipe from sys
-	a.seal.sys.bwrap.SetSync(a.seal.sys.Sync())
-
 	// start shim via manager
+	a.shim = new(shim.Shim)
 	waitErr := make(chan error, 1)
 	if startTime, err := a.shim.Start(
 		a.seal.sys.user.as,
 		a.seal.sys.user.supp,
-		payload,
+		a.seal.sys.Sync(),
 	); err != nil {
 		return err
 	} else {
@@ -88,7 +75,14 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
 		}()
 
 		// send payload
-		if err = a.shim.Serve(shimSetupCtx, payload); err != nil {
+		if err = a.shim.Serve(shimSetupCtx, &shim.Payload{
+			Argv:  a.seal.command,
+			Exec:  shimExec,
+			Bwrap: a.seal.sys.bwrap,
+			Home:  a.seal.sys.user.data,
+
+			Verbose: fmsg.Verbose(),
+		}); err != nil {
 			return err
 		}
 

internal/proc/priv/shim/main.go

@@ -62,8 +62,9 @@ func Main() {
 	}
 
 	// restore bwrap sync fd
+	var syncFd *os.File
 	if payload.Sync != nil {
-		payload.Bwrap.SetSync(os.NewFile(*payload.Sync, "sync"))
+		syncFd = os.NewFile(*payload.Sync, "sync")
 	}
 
 	// close setup socket
@@ -134,8 +135,11 @@ func Main() {
 	conf.Symlink("fortify", innerInit)
 
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, innerInit,
-		func(int, int) []string { return make([]string, 0) }); err != nil {
+	if b, err := helper.NewBwrap(
+		conf, innerInit,
+		nil, func(int, int) []string { return make([]string, 0) },
+		syncFd,
+	); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {
 		cmd := b.Unwrap()

internal/proc/priv/shim/manager.go

@@ -24,6 +24,8 @@ type Shim struct {
 	killFallback chan error
 	// monitor to shim encoder
 	encoder *gob.Encoder
+	// bwrap --sync-fd value
+	sync *uintptr
 }
 
 func (s *Shim) String() string {
@@ -46,8 +48,8 @@ func (s *Shim) Start(
 	aid string,
 	// string representation of supplementary group ids
 	supp []string,
-	// shim setup payload
-	payload *Payload,
+	// bwrap --sync-fd
+	syncFd *os.File,
 ) (*time.Time, error) {
 	// prepare user switcher invocation
 	var fsu string
@@ -80,9 +82,9 @@ func (s *Shim) Start(
 	s.cmd.Dir = "/"
 
 	// pass sync fd if set
-	if payload.Bwrap.Sync() != nil {
-		fd := proc.ExtraFile(s.cmd, payload.Bwrap.Sync())
-		payload.Sync = &fd
+	if syncFd != nil {
+		fd := proc.ExtraFile(s.cmd, syncFd)
+		s.sync = &fd
 	}
 
 	fmsg.VPrintln("starting shim via fsu:", s.cmd)
@@ -106,6 +108,7 @@ func (s *Shim) Serve(ctx context.Context, payload *Payload) error {
 	}
 	defer func() { killShim() }()
 
+	payload.Sync = s.sync
 	encodeErr := make(chan error)
 	go func() { encodeErr <- s.encoder.Encode(payload) }()