mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sort dirs before files in resolve_overlays

Browse Source 
Glob results within a SENSITIVE_PATHS entry could return files before
their parent directory. When that happens the file gets a null-bind
while its siblings remain visible, because the parent hasn't been added
to tmpfs_dirs yet. Sorting dirs first removes this implicit ordering
dependency.
This commit is contained in:
Kristóf Tóth
2026-03-25 22:54:56 +01:00
parent 82f84247f1
commit d3f8986b77
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/blacklist.rs
View File

@@ -19,7 +19,9 @@ pub fn resolve_overlays(ctx: &PathContext) -> Result<BlacklistOverlays, SandboxE
for raw in SENSITIVE_PATHS { for raw in SENSITIVE_PATHS {
let expanded = expand_path(raw, ctx); let expanded = expand_path(raw, ctx);
for path in expand_glob(&expanded)? { let mut paths = expand_glob(&expanded)?;
paths.sort_by_key(|p| !p.is_dir());
for path in paths {
match classify_path(&path) { match classify_path(&path) {
PathKind::Dir => tmpfs_dirs.push(path), PathKind::Dir => tmpfs_dirs.push(path),
PathKind::File => { PathKind::File => {