cmd/fshim/main.go

@@ -13,7 +13,6 @@ import (
 	"git.ophivana.moe/security/fortify/helper"
 	"git.ophivana.moe/security/fortify/internal"
 	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/proc"
 )
 
 // everything beyond this point runs as unconstrained target user
@@ -111,14 +110,17 @@ func main() {
 
 	var extraFiles []*os.File
 
-	// serve setup payload
+	// share config pipe
-	if fd, encoder, err := proc.Setup(&extraFiles); err != nil {
+	if r, w, err := os.Pipe(); err != nil {
 		fmsg.Fatalf("cannot pipe: %v", err)
 	} else {
-		conf.SetEnv[init0.Env] = strconv.Itoa(fd)
+		conf.SetEnv[init0.Env] = strconv.Itoa(3 + len(extraFiles))
+		extraFiles = append(extraFiles, r)
+
+		fmsg.VPrintln("transmitting config to init")
 		go func() {
-			fmsg.VPrintln("transmitting config to init")
+			// stream config to pipe
-			if err = encoder.Encode(&ic); err != nil {
+			if err = gob.NewEncoder(w).Encode(&ic); err != nil {
 				fmsg.Fatalf("cannot transmit init config: %v", err)
 			}
 		}()

internal/proc/fd.go

@@ -12,16 +12,6 @@ var (
 	ErrInvalid = errors.New("bad file descriptor")
 )
 
-func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
-	if r, w, err := os.Pipe(); err != nil {
-		return -1, nil, err
-	} else {
-		fd := 3 + len(*extraFiles)
-		*extraFiles = append(*extraFiles, r)
-		return fd, gob.NewEncoder(w), nil
-	}
-}
-
 func Receive(key string, e any) (func() error, error) {
 	var setup *os.File