container: optionally isolate host abstract UNIX domain sockets via landlock

2025-08-17 16:16:52 +09:00
1 changed files with 7 additions and 28 deletions
--- a/container/container.go
+++ b/container/container.go
@ -9,7 +9,6 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"runtime"
 	"strconv"
 	. "syscall"
 	"time"
@ -37,8 +36,6 @@ type (
 		setup *gob.Encoder
 		// cancels cmd
 		cancel context.CancelFunc
-		// closed after Wait returns
-		wait chan struct{}

 		Stdin  io.Reader
 		Stdout io.Writer
@ -175,23 +172,11 @@ func (p *Container) Start() error {
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)

-	done := make(chan error, 1)
-	go func() {
-		runtime.LockOSThread()
-		p.wait = make(chan struct{})
-
-		done <- func() error { // setup depending on per-thread state must happen here
-			msg.Verbose("starting container init")
-			if err := p.cmd.Start(); err != nil {
-				return msg.WrapErr(err, err.Error())
-			}
-			return nil
-		}()
-
-		// keep this thread alive until Wait returns for cancel
-		<-p.wait
-	}()
-	return <-done
+	msg.Verbose("starting container init")
+	if err := p.cmd.Start(); err != nil {
+		return msg.WrapErr(err, err.Error())
+	}
+	return nil
 }

 // Serve serves [Container.Params] to the container init.
@ -232,14 +217,8 @@ func (p *Container) Serve() error {
 	return err
 }

-// Wait waits for the container init process to exit and releases any resources associated with the [Container].
-func (p *Container) Wait() error {
-	if p.wait == nil {
-		return EINVAL
-	}
-	defer func() { close(p.wait); p.cancel(); p.wait = nil }()
-	return p.cmd.Wait()
-}
+// Wait waits for the container init process to exit.
+func (p *Container) Wait() error { defer p.cancel(); return p.cmd.Wait() }

 func (p *Container) String() string {
 	return fmt.Sprintf("argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",