Canonicalize blacklist overlay paths to skirt /var/run symlink

src/blacklist.rs

@@ -14,8 +14,8 @@ pub struct BlacklistOverlays {
 }
 
 pub fn resolve_overlays(ctx: &PathContext) -> Result<BlacklistOverlays, SandboxError> {
-    let mut tmpfs_dirs = Vec::new();
-    let mut null_bind_files = Vec::new();
+    let mut tmpfs_dirs: Vec<PathBuf> = Vec::new();
+    let mut null_bind_files: Vec<PathBuf> = Vec::new();
 
     for raw in SENSITIVE_PATHS {
         let expanded = expand_path(raw, ctx);
@@ -23,9 +23,13 @@ pub fn resolve_overlays(ctx: &PathContext) -> Result<BlacklistOverlays, SandboxE
         paths.sort_by_key(|p| !p.is_dir());
         for path in paths {
             match classify_path(&path) {
-                PathKind::Dir => tmpfs_dirs.push(path),
-                PathKind::File => {
-                    if !is_under_tmpfs_dir(&path, &tmpfs_dirs) {
+                PathKind::Dir(path) => {
+                    if !tmpfs_dirs.contains(&path) {
+                        tmpfs_dirs.push(path);
+                    }
+                }
+                PathKind::File(path) => {
+                    if !is_under_tmpfs_dir(&path, &tmpfs_dirs) && !null_bind_files.contains(&path) {
                         null_bind_files.push(path);
                     }
                 }
@@ -47,15 +51,15 @@ pub fn resolve_path_context() -> Result<PathContext, SandboxError> {
 }
 
 enum PathKind {
-    Dir,
-    File,
+    Dir(PathBuf),
+    File(PathBuf),
     Missing,
 }
 
 fn classify_path(path: &Path) -> PathKind {
-    match fs::metadata(path) {
-        Ok(m) if m.is_dir() => PathKind::Dir,
-        Ok(_) => PathKind::File,
+    match fs::canonicalize(path) {
+        Ok(path) if path.is_dir() => PathKind::Dir(path),
+        Ok(path) => PathKind::File(path),
         Err(_) => PathKind::Missing,
     }
 }