helper/bwrap: implement sync fd

This is required by wayland security-context-v1.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>

helper/bwrap/config.go

@@ -68,13 +68,16 @@ type Config struct {
 	// (--as-pid-1)
 	AsInit bool `json:"as_init"`
 
+	// keep this fd open while sandbox is running
+	// (--sync-fd FD)
+	sync *os.File
+
 	/* unmapped options include:
 	    --unshare-user-try           Create new user namespace if possible else continue by skipping it
 	    --unshare-cgroup-try         Create new cgroup namespace if possible else continue by skipping it
 	    --userns FD                  Use this user namespace (cannot combine with --unshare-user)
 	    --userns2 FD                 After setup switch to this user namespace, only useful with --userns
 	    --pidns FD                   Use this pid namespace (as parent namespace if using --unshare-pid)
-		--sync-fd FD                 Keep this fd open while sandbox is running
 	    --exec-label LABEL           Exec label for the sandbox
 	    --file-label LABEL           File label for temporary sandbox content
 	    --file FD DEST               Copy from FD to destination DEST
@@ -92,6 +95,12 @@ type Config struct {
 	among which --args is used internally for passing arguments */
 }
 
+// Sync keep this fd open while sandbox is running
+// (--sync-fd FD)
+func (c *Config) Sync() *os.File {
+	return c.sync
+}
+
 type UnshareConfig struct {
 	// (--unshare-user)
 	// create new user namespace

helper/bwrap/config.set.go

@@ -136,3 +136,10 @@ func (c *Config) SetGID(gid int) *Config {
 	}
 	return c
 }
+
+// SetSync sets the sync pipe kept open while sandbox is running
+// (--sync-fd FD)
+func (c *Config) SetSync(s *os.File) *Config {
+	c.sync = s
+	return c
+}