From 776650af01d56d1c38861420de7f4a077f0a61f8 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Fri, 10 Oct 2025 04:50:07 +0900
Subject: [PATCH] hst/config: negative WaitDelay bypasses default

This behaviour might be useful, so do not lock it out. This change also fixes an oversight where the unchecked value is used to determine ForwardCancel.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 hst/config.go               | 4 ++--
 internal/app/outcome.go     | 4 +++-
 internal/app/spcontainer.go | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/hst/config.go b/hst/config.go
index 9f4ee2f..a0843ae 100644
--- a/hst/config.go
+++ b/hst/config.go
@@ -67,8 +67,8 @@ type (
 		Hostname string `json:"hostname,omitempty"`
 
 		// Duration in nanoseconds to wait for after interrupting the initial process.
-		// Defaults to [WaitDelayDefault] if less than or equals to zero,
-		// or [WaitDelayMax] if greater than [WaitDelayMax].
+		// Defaults to [WaitDelayDefault] if zero, or [WaitDelayMax] if greater than [WaitDelayMax].
+		// Values lesser than zero is equivalent to zero, bypassing [WaitDelayDefault].
 		WaitDelay time.Duration `json:"wait_delay,omitempty"`
 
 		// Emit Flatpak-compatible seccomp filter programs.
diff --git a/internal/app/outcome.go b/internal/app/outcome.go
index 84a4bae..0999ae9 100644
--- a/internal/app/outcome.go
+++ b/internal/app/outcome.go
@@ -81,7 +81,9 @@ func (s *outcomeState) populateEarly(k syscallDispatcher, msg message.Msg) {
 	s.Shim = &shimParams{PrivPID: os.Getpid(), Verbose: msg.IsVerbose()}
 
 	// enforce bounds and default early
-	if s.Container.WaitDelay <= 0 {
+	if s.Container.WaitDelay < 0 {
+		s.Shim.WaitDelay = 0
+	} else if s.Container.WaitDelay == 0 {
 		s.Shim.WaitDelay = hst.WaitDelayDefault
 	} else if s.Container.WaitDelay > hst.WaitDelayMax {
 		s.Shim.WaitDelay = hst.WaitDelayMax
diff --git a/internal/app/spcontainer.go b/internal/app/spcontainer.go
index b637831..3426e7e 100644
--- a/internal/app/spcontainer.go
+++ b/internal/app/spcontainer.go
@@ -65,7 +65,7 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
 
 	// the container is canceled when shim is requested to exit or receives an interrupt or termination signal;
 	// this behaviour is implemented in the shim
-	state.params.ForwardCancel = state.Container.WaitDelay >= 0
+	state.params.ForwardCancel = state.Shim.WaitDelay > 0
 
 	if state.Container.Multiarch {
 		state.params.SeccompFlags |= seccomp.AllowMultiarch