From 2262c926ceeecd93df0d663821e399d5a74297e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Smr=C5=BE?= Date: Fri, 16 Jan 2026 20:50:38 +0100 Subject: Try bind-mount /tmp into sandbox when it's not a separate filesystem --- src/main.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/main.c b/src/main.c index b543d8e..9a6abcb 100644 --- a/src/main.c +++ b/src/main.c @@ -109,7 +109,7 @@ int main( int argc, char * argv[] ) }; ret = mount_setattr( -1, "/run/new_root", AT_RECURSIVE, attr_ro, sizeof( * attr_ro ) ); if( ret < 0 ){ - fprintf( stderr, "failed set new_root as read-only: %s\n", strerror( errno )); + fprintf( stderr, "failed set sandbox root as read-only: %s\n", strerror( errno )); return 1; } @@ -118,17 +118,24 @@ int main( int argc, char * argv[] ) }; ret = mount_setattr( -1, "/run/new_root/proc", AT_RECURSIVE, attr_rw, sizeof( * attr_rw ) ); if( ret < 0 ){ - fprintf( stderr, "failed set new_root/proc as read-write: %s\n", strerror( errno )); + fprintf( stderr, "failed set sandbox /proc as read-write: %s\n", strerror( errno )); return 1; } ret = mount_setattr( -1, "/run/new_root/tmp", AT_RECURSIVE, attr_rw, sizeof( * attr_rw ) ); if( ret < 0 ){ - fprintf( stderr, "failed set new_root/tmp as read-write: %s\n", strerror( errno )); + if( errno == EINVAL ){ + // Original /tmp is not a separate filesystem, so we can't just change the attributes + ret = mount( "/tmp", "/run/new_root/tmp", NULL, MS_BIND, NULL ); + if( ret < 0 ) + fprintf( stderr, "failed to bind-mount original /tmp in sandbox as read-write: %s\n", strerror( errno )); + } else { + fprintf( stderr, "failed set sandbox /tmp as read-write: %s\n", strerror( errno )); + } } ret = mount( "tmpfs", "/run/new_root/run", "tmpfs", 0, "size=4m" ); if( ret < 0 ){ - fprintf( stderr, "failed to mount tmpfs on new_root/run: %s\n", strerror( errno )); + fprintf( stderr, "failed to mount tmpfs on sandbox /run: %s\n", strerror( errno )); return 1; } -- cgit v1.2.3