From 4babf33439270af1cb3ba8ebbd6d49364df3f54f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <mrtoth@strongds.hu>
Date: Fri, 15 May 2026 10:08:22 +0200
Subject: [PATCH] Expand default path coverage for common tools

---
 src/sandbox.rs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/sandbox.rs b/src/sandbox.rs
index d52a43c..1a0ecac 100644
--- a/src/sandbox.rs
+++ b/src/sandbox.rs
@@ -164,9 +164,12 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
             "/run/udev",
             "/run/NetworkManager/resolv.conf",
             "/run/media",
+            "/run/utmp",
         ],
     );
 
+    cmd.arg("--tmpfs").arg("/run/systemd/system");
+
     ensure_parent_dirs(cmd, "/run", &ctx.run_user);
     cmd.arg("--tmpfs").arg(&ctx.run_user);
     let run_user_bus = format!("{}/bus", ctx.run_user);
@@ -204,6 +207,14 @@ fn add_whitelist_mode(
         "/etc/hostname",
         "/etc/localtime",
         "/etc/machine-id",
+        "/etc/os-release",
+        "/etc/lsb-release",
+        "/etc/locale.conf",
+        "/etc/inputrc",
+        "/etc/shells",
+        "/etc/man_db.conf",
+        "/etc/pki",
+        "/etc/timezone",
     ] {
         cmd.args(["--ro-bind-try", path, path]);
     }