Fix blacklist bind mount order

2026-03-20 21:02:48 +01:00
parent 826c6d5531
commit 94535b20d3
2 changed files with 32 additions and 6 deletions
--- a/src/sandbox.rs
+++ b/src/sandbox.rs
@@ -57,6 +57,12 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
    let ctx = blacklist::resolve_path_context()?;
    cmd.args(["--ro-bind", "/", "/"]);

+    cmd.args(["--dev-bind", "/dev", "/dev"]);
+    cmd.args(["--proc", "/proc"]);
+    cmd.args(["--bind", "/tmp", "/tmp"]);
+    cmd.args(["--bind", "/var/tmp", "/var/tmp"]);
+    cmd.args(["--bind", "/run", "/run"]);
+
    let overlays = blacklist::resolve_overlays(&ctx)?;
    for dir in &overlays.tmpfs_dirs {
        cmd.arg("--tmpfs").arg(dir);
@@ -65,12 +71,6 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
        cmd.arg("--ro-bind").arg("/dev/null").arg(file);
    }

-    cmd.args(["--dev-bind", "/dev", "/dev"]);
-    cmd.args(["--proc", "/proc"]);
-    cmd.args(["--bind", "/tmp", "/tmp"]);
-    cmd.args(["--bind", "/var/tmp", "/var/tmp"]);
-    cmd.args(["--bind", "/run", "/run"]);
-
    Ok(())
 }