diff --git a/cmd/fshim/ipc/shim/shim.go b/cmd/fshim/ipc/shim/shim.go index d01d02e..4b6b5f8 100644 --- a/cmd/fshim/ipc/shim/shim.go +++ b/cmd/fshim/ipc/shim/shim.go @@ -16,6 +16,7 @@ import ( shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc" "git.ophivana.moe/security/fortify/internal" "git.ophivana.moe/security/fortify/internal/fmsg" + "git.ophivana.moe/security/fortify/internal/proc" ) const shimSetupTimeout = 5 * time.Second @@ -113,9 +114,8 @@ func (s *Shim) Start() (*time.Time, error) { // pass sync fd if set if s.payload.Bwrap.Sync() != nil { - fd := uintptr(3 + len(s.cmd.ExtraFiles)) + fd := proc.ExtraFile(s.cmd, s.payload.Bwrap.Sync()) s.payload.Sync = &fd - s.cmd.ExtraFiles = append(s.cmd.ExtraFiles, s.payload.Bwrap.Sync()) } fmsg.VPrintln("starting shim via fsu:", s.cmd) diff --git a/helper/bwrap.go b/helper/bwrap.go index 2788dbf..5b674b4 100644 --- a/helper/bwrap.go +++ b/helper/bwrap.go @@ -9,6 +9,7 @@ import ( "sync" "git.ophivana.moe/security/fortify/helper/bwrap" + "git.ophivana.moe/security/fortify/internal/proc" ) // BubblewrapName is the file name or path to bubblewrap. @@ -76,8 +77,7 @@ func (b *bubblewrap) StartNotify(ready chan error) error { } if b.sync != nil { - b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(3+len(b.Cmd.ExtraFiles))) - b.Cmd.ExtraFiles = append(b.Cmd.ExtraFiles, b.sync) + b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync)))) } if err := b.Cmd.Start(); err != nil { diff --git a/helper/pipe.go b/helper/pipe.go index e601328..2a55305 100644 --- a/helper/pipe.go +++ b/helper/pipe.go @@ -5,6 +5,8 @@ import ( "io" "os" "os/exec" + + "git.ophivana.moe/security/fortify/internal/proc" ) type pipes struct { @@ -47,24 +49,21 @@ func (p *pipes) pipe() error { } // calls pipe to create pipes and sets them up as ExtraFiles, returning their fd -func (p *pipes) prepareCmd(cmd *exec.Cmd) (int, int, error) { - if err := p.pipe(); err != nil { - return -1, -1, err +func (p *pipes) prepareCmd(cmd *exec.Cmd) (argsFd, statFd int, err error) { + argsFd, statFd = -1, -1 + if err = p.pipe(); err != nil { + return } // save a reference of cmd for future use p.cmd = cmd - // ExtraFiles: If non-nil, entry i becomes file descriptor 3+i. - argsFd := 3 + len(cmd.ExtraFiles) - cmd.ExtraFiles = append(cmd.ExtraFiles, p.argsP[0]) - + argsFd = int(proc.ExtraFile(cmd, p.argsP[0])) if p.ready != nil { - cmd.ExtraFiles = append(cmd.ExtraFiles, p.statP[1]) - return argsFd, argsFd + 1, nil - } else { - return argsFd, -1, nil + statFd = int(proc.ExtraFile(cmd, p.statP[1])) } + + return } func (p *pipes) readyWriteArgs() error { diff --git a/internal/proc/files.go b/internal/proc/files.go new file mode 100644 index 0000000..5a5e1c2 --- /dev/null +++ b/internal/proc/files.go @@ -0,0 +1,13 @@ +package proc + +import ( + "os" + "os/exec" +) + +func ExtraFile(cmd *exec.Cmd, f *os.File) (fd uintptr) { + // ExtraFiles: If non-nil, entry i becomes file descriptor 3+i. + fd = uintptr(3 + len(cmd.ExtraFiles)) + cmd.ExtraFiles = append(cmd.ExtraFiles, f) + return +}