From c8e0d4813a894b0b1b0122000a831101323c0807 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <mrtoth@strongds.hu>
Date: Fri, 20 Mar 2026 19:29:53 +0100
Subject: [PATCH] Use --ro-bind-try for system files in whitelist mode

---
 src/sandbox.rs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/sandbox.rs b/src/sandbox.rs
index 130cb0e..436d1b8 100644
--- a/src/sandbox.rs
+++ b/src/sandbox.rs
@@ -82,16 +82,16 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
         cmd.args(["--ro-bind-try", path, path]);
     }
 
-    cmd.args(["--ro-bind", "/etc/ssl", "/etc/ssl"]);
+    cmd.args(["--ro-bind-try", "/etc/ssl", "/etc/ssl"]);
     cmd.args([
         "--ro-bind-try",
         "/etc/ca-certificates",
         "/etc/ca-certificates",
     ]);
-    cmd.args(["--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf"]);
-    cmd.args(["--ro-bind", "/etc/nsswitch.conf", "/etc/nsswitch.conf"]);
-    cmd.args(["--ro-bind", "/etc/passwd", "/etc/passwd"]);
-    cmd.args(["--ro-bind", "/etc/group", "/etc/group"]);
+    cmd.args(["--ro-bind-try", "/etc/resolv.conf", "/etc/resolv.conf"]);
+    cmd.args(["--ro-bind-try", "/etc/nsswitch.conf", "/etc/nsswitch.conf"]);
+    cmd.args(["--ro-bind-try", "/etc/passwd", "/etc/passwd"]);
+    cmd.args(["--ro-bind-try", "/etc/group", "/etc/group"]);
 
     for path in [
         "/etc/hosts",