From 5fc7eb3c11d75a5ac7533e76c3975b136fe9cb9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <mrtoth@strongds.hu>
Date: Wed, 25 Mar 2026 23:43:48 +0100
Subject: [PATCH] Consolidate whitelist mode setup into add_whitelist_mode

---
 src/sandbox.rs | 43 +++++++++++++++----------------------------
 1 file changed, 15 insertions(+), 28 deletions(-)

diff --git a/src/sandbox.rs b/src/sandbox.rs
index 1933a09..e4ab81d 100644
--- a/src/sandbox.rs
+++ b/src/sandbox.rs
@@ -22,15 +22,6 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
         SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?,
     }
 
-    if matches!(config.mode, SandboxMode::Whitelist) {
-        cmd.args(["--tmpfs", "/tmp"]);
-        cmd.args(["--tmpfs", "/var/tmp"]);
-        cmd.args(["--dev", "/dev"]);
-        cmd.args(["--tmpfs", "/dev/shm"]);
-        cmd.args(["--tmpfs", "/run"]);
-        cmd.args(["--proc", "/proc"]);
-    }
-
     for path in agents::agent_rw_paths() {
         cmd.arg("--bind-try").arg(&path).arg(&path);
     }
@@ -107,34 +98,23 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
         "/etc/ld.so.conf",
         "/etc/ld.so.conf.d",
         "/etc/alternatives",
-    ] {
-        cmd.args(["--ro-bind-try", path, path]);
-    }
-
-    cmd.args(["--ro-bind-try", "/etc/ssl", "/etc/ssl"]);
-    cmd.args([
-        "--ro-bind-try",
+        "/etc/ssl",
         "/etc/ca-certificates",
-        "/etc/ca-certificates",
-    ]);
-    cmd.args(["--ro-bind-try", "/etc/resolv.conf", "/etc/resolv.conf"]);
-    cmd.args(["--ro-bind-try", "/etc/nsswitch.conf", "/etc/nsswitch.conf"]);
-    cmd.args(["--ro-bind-try", "/etc/passwd", "/etc/passwd"]);
-    cmd.args(["--ro-bind-try", "/etc/group", "/etc/group"]);
-
-    for path in [
+        "/etc/resolv.conf",
+        "/etc/nsswitch.conf",
+        "/etc/passwd",
+        "/etc/group",
         "/etc/hosts",
         "/etc/gai.conf",
         "/etc/services",
         "/etc/protocols",
+        "/etc/hostname",
+        "/etc/localtime",
+        "/etc/machine-id",
     ] {
         cmd.args(["--ro-bind-try", path, path]);
     }
 
-    for path in ["/etc/hostname", "/etc/localtime", "/etc/machine-id"] {
-        cmd.args(["--ro-bind-try", path, path]);
-    }
-
     cmd.args(["--ro-bind-try", "/sys", "/sys"]);
 
     let local_bin = format!("{home}/.local/bin");
@@ -143,6 +123,13 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
     let cache_dir = format!("{home}/.cache");
     cmd.arg("--tmpfs").arg(&cache_dir);
 
+    cmd.args(["--tmpfs", "/tmp"]);
+    cmd.args(["--tmpfs", "/var/tmp"]);
+    cmd.args(["--dev", "/dev"]);
+    cmd.args(["--tmpfs", "/dev/shm"]);
+    cmd.args(["--tmpfs", "/run"]);
+    cmd.args(["--proc", "/proc"]);
+
     Ok(())
 }