common: introduce flatpak_bwrap_add_sync_fd

The same logic will be used for Wayland security context.
flatpak · alexlarsson · Aug 24, 2023 · Jun 3, 2022 · Jun 15, 2023 · Jun 15, 2023
commit 7db62760deca0ac1030b573f1e5d26b117acc439
diff --git a/common/flatpak-bwrap-private.h b/common/flatpak-bwrap-private.h
@@ -28,6 +28,7 @@ typedef struct
  GArray *fds;
  GStrv envp;
  GPtrArray *runtime_dir_members;
+ int sync_fds[2];
 } FlatpakBwrap;
 
 extern char *flatpak_bwrap_empty_env[1];
@@ -92,6 +93,8 @@ void flatpak_bwrap_child_setup_cb (gpointer user_data);
 void flatpak_bwrap_child_setup (GArray *fd_array,
  gboolean close_fd_workaround);
 
+int flatpak_bwrap_add_sync_fd (FlatpakBwrap *bwrap);
+
 G_DEFINE_AUTOPTR_CLEANUP_FUNC (FlatpakBwrap, flatpak_bwrap_free)
 
 

diff --git a/common/flatpak-bwrap.c b/common/flatpak-bwrap.c
@@ -68,6 +68,9 @@ flatpak_bwrap_new (char **env)
  else
  bwrap->envp = g_get_environ ();
 
+ bwrap->sync_fds[0] = -1;
+ bwrap->sync_fds[1] = -1;
+
  return bwrap;
 }
 
@@ -526,3 +529,19 @@ flatpak_bwrap_child_setup_cb (gpointer user_data)
 
  flatpak_bwrap_child_setup (fd_array, TRUE);
 }
+
+/* Add a --sync-fd argument for bwrap(1). Returns the write end of the pipe on
+ * success, or -1 on error. */
+int
+flatpak_bwrap_add_sync_fd (FlatpakBwrap *bwrap)
+{
+ /* --sync-fd is only allowed once */
+ if (bwrap->sync_fds[1] >= 0)
+ return bwrap->sync_fds[1];
+
+ if (pipe2 (bwrap->sync_fds, O_CLOEXEC) < 0)
+ return -1;
+
+ flatpak_bwrap_add_args_data_fd (bwrap, "--sync-fd", bwrap->sync_fds[0], NULL);
+ return bwrap->sync_fds[1];
+}
diff --git a/common/flatpak-run-dbus.c b/common/flatpak-run-dbus.c
@@ -117,8 +117,8 @@ flatpak_run_maybe_start_dbus_proxy (FlatpakBwrap *app_bwrap,
  const char *proxy;
  g_autofree char *commandline = NULL;
  g_autoptr(FlatpakBwrap) proxy_bwrap = NULL;
- int sync_fds[2] = {-1, -1};
  int proxy_start_index;
+ int sync_fd;
 
  if (flatpak_bwrap_is_empty (proxy_arg_bwrap))
  {
@@ -139,19 +139,16 @@ flatpak_run_maybe_start_dbus_proxy (FlatpakBwrap *app_bwrap,
 
  proxy_start_index = proxy_bwrap->argv->len;
 
- if (pipe2 (sync_fds, O_CLOEXEC) < 0)
+ sync_fd = flatpak_bwrap_add_sync_fd (app_bwrap);
+ if (sync_fd < 0)
  {
  g_set_error_literal (error, G_IO_ERROR, g_io_error_from_errno (errno),
  _("Unable to create sync pipe"));
  return FALSE;
  }
 
- /* read end goes to app */
- flatpak_bwrap_add_args_data_fd (app_bwrap, "--sync-fd", sync_fds[0], NULL);
-
- /* write end goes to proxy */
- flatpak_bwrap_add_fd (proxy_bwrap, sync_fds[1]);
- flatpak_bwrap_add_arg_printf (proxy_bwrap, "--fd=%d", sync_fds[1]);
+ flatpak_bwrap_add_fd (proxy_bwrap, sync_fd);
+ flatpak_bwrap_add_arg_printf (proxy_bwrap, "--fd=%d", sync_fd);
 
  /* Note: This steals the fds from proxy_arg_bwrap */
  flatpak_bwrap_append_bwrap (proxy_bwrap, proxy_arg_bwrap);
@@ -178,7 +175,7 @@ flatpak_run_maybe_start_dbus_proxy (FlatpakBwrap *app_bwrap,
  g_clear_pointer (&proxy_bwrap, flatpak_bwrap_free);
 
  /* Sync with proxy, i.e. wait until its listening on the sockets */
- if (read (sync_fds[0], &x, 1) != 1)
+ if (read (app_bwrap->sync_fds[0], &x, 1) != 1)
  {
  g_set_error_literal (error, G_IO_ERROR, g_io_error_from_errno (errno),
  _("Failed to sync with dbus proxy"));