helper/bwrap: integrate seccomp into helper interface

This makes API usage much cleaner, and encapsulates all bwrap arguments in argsWt.

Signed-off-by: Ophestra <cat@gensokyo.uk>

helper/bwrap/arg.go

@@ -1,6 +1,13 @@
 package bwrap
 
-import "encoding/gob"
+import (
+	"encoding/gob"
+	"os"
+	"slices"
+	"strconv"
+
+	"git.gensokyo.uk/security/fortify/internal/proc"
+)
 
 type Builder interface {
 	Len() int
@@ -12,6 +19,11 @@ type FSBuilder interface {
 	Builder
 }
 
+type FDBuilder interface {
+	Len() int
+	Append(args *[]string, extraFiles *[]*os.File) error
+}
+
 func init() {
 	gob.Register(new(pairF))
 	gob.Register(new(stringF))
@@ -45,6 +57,33 @@ func (s stringF) Append(args *[]string) {
 	*args = append(*args, s[0], s[1])
 }
 
+type fileF struct {
+	name string
+	file *os.File
+}
+
+func (f *fileF) Len() int {
+	if f.file == nil {
+		return 0
+	}
+	return 2
+}
+
+func (f *fileF) Append(args *[]string, extraFiles *[]*os.File) error {
+	if f.file == nil {
+		return nil
+	}
+	extraFile(args, extraFiles, f.name, f.file)
+	return nil
+}
+
+func extraFile(args *[]string, extraFiles *[]*os.File, name string, f *os.File) {
+	if f == nil {
+		return
+	}
+	*args = append(*args, name, strconv.Itoa(int(proc.ExtraFileSlice(extraFiles, f))))
+}
+
 // Args returns a slice of bwrap args corresponding to c.
 func (c *Config) Args() (args []string) {
 	builders := []Builder{
@@ -75,3 +114,25 @@ func (c *Config) Args() (args []string) {
 
 	return
 }
+
+func (c *Config) FDArgs(syncFd *os.File, extraFiles *[]*os.File) (args []string, err error) {
+	builders := []FDBuilder{
+		&seccompBuilder{c},
+		&fileF{positionalArgs[SyncFd], syncFd},
+	}
+
+	argc := 0
+	for _, b := range builders {
+		argc += b.Len()
+	}
+
+	args = make([]string, 0, argc)
+	*extraFiles = slices.Grow(*extraFiles, len(builders))
+
+	for _, b := range builders {
+		if err = b.Append(&args, extraFiles); err != nil {
+			break
+		}
+	}
+	return
+}