Kristóf Tóth f1d7a14b8d Ensure root filesystem is always read-only inside sandbox ...

Whitelist mode's implicit bwrap root was a writable tmpfs, letting the
sandboxed process create files and directories anywhere not covered by
an explicit ro mount. This was not an issue in blacklist mode due to
--ro-bind / / covering that case.

This patch adds --remount-ro / before any other mount to make the base
layer read-only in both modes.

2026-03-29 16:50:59 +02:00

15 KiB

Raw Blame History

View Raw