From d3f8986b77e5cdab464153ac9610694efca62186 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <mrtoth@strongds.hu>
Date: Wed, 25 Mar 2026 22:54:56 +0100
Subject: [PATCH] Sort dirs before files in resolve_overlays

Glob results within a SENSITIVE_PATHS entry could return files before
their parent directory. When that happens the file gets a null-bind
while its siblings remain visible, because the parent hasn't been added
to tmpfs_dirs yet. Sorting dirs first removes this implicit ordering
dependency.
---
 src/blacklist.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/blacklist.rs b/src/blacklist.rs
index 7c406c7..48c4c2d 100644
--- a/src/blacklist.rs
+++ b/src/blacklist.rs
@@ -19,7 +19,9 @@ pub fn resolve_overlays(ctx: &PathContext) -> Result<BlacklistOverlays, SandboxE
 
     for raw in SENSITIVE_PATHS {
         let expanded = expand_path(raw, ctx);
-        for path in expand_glob(&expanded)? {
+        let mut paths = expand_glob(&expanded)?;
+        paths.sort_by_key(|p| !p.is_dir());
+        for path in paths {
             match classify_path(&path) {
                 PathKind::Dir => tmpfs_dirs.push(path),
                 PathKind::File => {