From 9d41b2bae22e881751775d67750d23dc4b0b423f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <mrtoth@strongds.hu>
Date: Sat, 23 May 2020 01:14:50 +0200
Subject: [PATCH] Mount root as tmpfs, allow real rw in home directory only

---
 isolated-protonmail-bridge.sh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/isolated-protonmail-bridge.sh b/isolated-protonmail-bridge.sh
index 5e8a997..e20b002 100755
--- a/isolated-protonmail-bridge.sh
+++ b/isolated-protonmail-bridge.sh
@@ -5,20 +5,19 @@ HERE="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
 JAIL_HOME=/home/proton
 BIN="${BIN:-entrypoint.sh}"
 
-if [[ -z "${ROOTFS:-}" ]]; then
-    echo "Please set the ROOTFS envvar!"
+if [[ -z "${BRIDGE_HOME:-}" ]]; then
+    echo "Please set the BRIDGE_HOME envvar!"
     exit 1
 else
-    ROOTFS="$(realpath "${ROOTFS}")"
+    BRIDGE_HOME="$(realpath "${BRIDGE_HOME}")"
 fi
 
-rm -rf "${ROOTFS}/dev/fd"
-
 nsjail -Mo                                                                                     \
        --disable_clone_newnet                                                                  \
-       --chroot "${ROOTFS}" --rw                                                               \
        --cwd "${JAIL_HOME}"                                                                    \
+       --tmpfsmount /                                                                          \
        --tmpfsmount /tmp --tmpfsmount /run                                                     \
+       --bindmount "${BRIDGE_HOME}:${JAIL_HOME}"                                               \
        --symlink /proc/self/fd:/dev/fd                                                         \
        --bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh"                       \
        --bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt"       \