colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: restrict/pasta: better comments

Browse Source
This commit is contained in:
Colin
2024-12-20 06:52:20 +00:00
parent 14f6087143
commit fad36e97a1
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkgs/by-name/bunpen/restrict/ns/pasta.ha
View File

@@ -32,15 +32,19 @@ fn setup_pasta(net: restrict::net_subset) void = {
log::printfln("[namespace/pasta]: forking: parent will launch pasta while child will exec user code");
match (fork_and_die_with_parent()) {
case let child_pid: os::exec::process =>
// close the side of the pipe that's not ours:
io::close(pipe_child_wr)!;
// wait for the child to signal that it's ready for us to attach pasta.
io::readall(pipe_parent_rd, &[0u8])!;
errors::ext::check("setup_pasta: attach", attach_pasta(net, child_pid));
errors::ext::check("setup_pasta: wait", wait_and_propagate(child_pid));
// cleanup: we're done with the pipe
io::close(pipe_parent_rd)!;
case void =>
// close the side of the pipe that's not ours:
io::close(pipe_parent_rd)!;
errors::ext::check("namespace: unshare net", rt::ext::unshare(rt::ext::clone_flag::NEWNET));
@@ -52,10 +56,13 @@ fn setup_pasta(net: restrict::net_subset) void = {
caps = rt::ext::CAPS_NONE, net = restrict::net_all, ...
};
restrict::capability_restrict(&res);
// let the parent know we're ready for pasta to attach to us
io::write(pipe_child_wr, [1])!;
// TODO: race condition here, where the child immediately continues on even
// though pasta hasn't created the device.
// cleanup: we're done with the pipe
io::close(pipe_child_wr)!;
case let e: (os::exec::error | rt::errno) =>