Consolidate whitelist mode setup into add_whitelist_mode

src/sandbox.rs

@@ -22,15 +22,6 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
         SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?,
     }
 
-    if matches!(config.mode, SandboxMode::Whitelist) {
-        cmd.args(["--tmpfs", "/tmp"]);
-        cmd.args(["--tmpfs", "/var/tmp"]);
-        cmd.args(["--dev", "/dev"]);
-        cmd.args(["--tmpfs", "/dev/shm"]);
-        cmd.args(["--tmpfs", "/run"]);
-        cmd.args(["--proc", "/proc"]);
-    }
-
     for path in agents::agent_rw_paths() {
         cmd.arg("--bind-try").arg(&path).arg(&path);
     }
@@ -107,34 +98,23 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
         "/etc/ld.so.conf",
         "/etc/ld.so.conf.d",
         "/etc/alternatives",
-    ] {
-        cmd.args(["--ro-bind-try", path, path]);
-    }
-
-    cmd.args(["--ro-bind-try", "/etc/ssl", "/etc/ssl"]);
-    cmd.args([
-        "--ro-bind-try",
+        "/etc/ssl",
         "/etc/ca-certificates",
-        "/etc/ca-certificates",
-    ]);
-    cmd.args(["--ro-bind-try", "/etc/resolv.conf", "/etc/resolv.conf"]);
-    cmd.args(["--ro-bind-try", "/etc/nsswitch.conf", "/etc/nsswitch.conf"]);
-    cmd.args(["--ro-bind-try", "/etc/passwd", "/etc/passwd"]);
-    cmd.args(["--ro-bind-try", "/etc/group", "/etc/group"]);
-
-    for path in [
+        "/etc/resolv.conf",
+        "/etc/nsswitch.conf",
+        "/etc/passwd",
+        "/etc/group",
         "/etc/hosts",
         "/etc/gai.conf",
         "/etc/services",
         "/etc/protocols",
+        "/etc/hostname",
+        "/etc/localtime",
+        "/etc/machine-id",
     ] {
         cmd.args(["--ro-bind-try", path, path]);
     }
 
-    for path in ["/etc/hostname", "/etc/localtime", "/etc/machine-id"] {
-        cmd.args(["--ro-bind-try", path, path]);
-    }
-
     cmd.args(["--ro-bind-try", "/sys", "/sys"]);
 
     let local_bin = format!("{home}/.local/bin");
@@ -143,6 +123,13 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
     let cache_dir = format!("{home}/.cache");
     cmd.arg("--tmpfs").arg(&cache_dir);
 
+    cmd.args(["--tmpfs", "/tmp"]);
+    cmd.args(["--tmpfs", "/var/tmp"]);
+    cmd.args(["--dev", "/dev"]);
+    cmd.args(["--tmpfs", "/dev/shm"]);
+    cmd.args(["--tmpfs", "/run"]);
+    cmd.args(["--proc", "/proc"]);
+
     Ok(())
 }