Let --rw override --ro on a child path by emitting ro binds first

2026-04-12 14:36:07 +02:00
parent 327c2933e7
commit 8f30d28965
2 changed files with 37 additions and 3 deletions
@@ -210,6 +210,40 @@ fn extra_rw_mount() {
    );
 }

+#[test]
+fn rw_refines_ro_parent() {
+    let parent = TempDir::new().expect("failed to create temp dir");
+    let child = parent.path().join("sub");
+    fs::create_dir(&child).expect("failed to create sub dir");
+    fs::write(parent.path().join("top.txt"), "top").expect("write");
+    fs::write(child.join("inner.txt"), "inner").expect("write");
+    let parent_str = parent.path().to_str().unwrap();
+    let child_str = child.to_str().unwrap();
+
+    let output = sandbox(&["--ro", parent_str, "--rw", child_str])
+        .args([
+            "--",
+            "bash",
+            "-c",
+            &format!(
+                "touch {parent_str}/top_new 2>&1 || echo parent_ro; \
+                 touch {child_str}/child_new && echo child_rw"
+            ),
+        ])
+        .output()
+        .expect("agent-sandbox binary failed to execute");
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    assert!(
+        stdout.contains("parent_ro"),
+        "parent should be read-only, got: {stdout}"
+    );
+    assert!(
+        stdout.contains("child_rw"),
+        "child should be writable, got: {stdout}"
+    );
+}
+
 #[test]
 fn chdir_override() {
    let dir = TempDir::new().expect("failed to create temp dir");