Fix read-only /dev, /proc, /tmp, /var/tmp, /run in blacklist mode

src/sandbox.rs

@@ -22,9 +22,11 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
         SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?,
     }
 
-    if hardened {
+    if matches!(config.mode, SandboxMode::Whitelist) {
         cmd.args(["--tmpfs", "/tmp"]);
+        cmd.args(["--tmpfs", "/var/tmp"]);
         cmd.args(["--dev", "/dev"]);
+        cmd.args(["--tmpfs", "/dev/shm"]);
         cmd.args(["--tmpfs", "/run"]);
         cmd.args(["--proc", "/proc"]);
     }
@@ -62,6 +64,13 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
     for file in &overlays.null_bind_files {
         cmd.arg("--ro-bind").arg("/dev/null").arg(file);
     }
+
+    cmd.args(["--dev-bind", "/dev", "/dev"]);
+    cmd.args(["--proc", "/proc"]);
+    cmd.args(["--bind", "/tmp", "/tmp"]);
+    cmd.args(["--bind", "/var/tmp", "/var/tmp"]);
+    cmd.args(["--bind", "/run", "/run"]);
+
     Ok(())
 }