From 50dafb4c37015de7dd9c8d182c196f617bc91051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <mrtoth@strongds.hu>
Date: Fri, 20 Mar 2026 20:40:57 +0100
Subject: [PATCH] Fix read-only /dev, /proc, /tmp, /var/tmp, /run in blacklist
 mode

---
 src/sandbox.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/sandbox.rs b/src/sandbox.rs
index 436d1b8..9ddefcb 100644
--- a/src/sandbox.rs
+++ b/src/sandbox.rs
@@ -22,9 +22,11 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
         SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?,
     }
 
-    if hardened {
+    if matches!(config.mode, SandboxMode::Whitelist) {
         cmd.args(["--tmpfs", "/tmp"]);
+        cmd.args(["--tmpfs", "/var/tmp"]);
         cmd.args(["--dev", "/dev"]);
+        cmd.args(["--tmpfs", "/dev/shm"]);
         cmd.args(["--tmpfs", "/run"]);
         cmd.args(["--proc", "/proc"]);
     }
@@ -62,6 +64,13 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
     for file in &overlays.null_bind_files {
         cmd.arg("--ro-bind").arg("/dev/null").arg(file);
     }
+
+    cmd.args(["--dev-bind", "/dev", "/dev"]);
+    cmd.args(["--proc", "/proc"]);
+    cmd.args(["--bind", "/tmp", "/tmp"]);
+    cmd.args(["--bind", "/var/tmp", "/var/tmp"]);
+    cmd.args(["--bind", "/run", "/run"]);
+
     Ok(())
 }