container/ops: mount dev readonly

There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/app/container_linux.go

@@ -85,7 +85,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		Tmpfs(hst.Tmp, 1<<12, 0755)
 
 	if !s.Device {
-		params.Dev("/dev", true)
+		params.DevWritable("/dev", true)
 	} else {
 		params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice)
 	}
@@ -239,6 +239,11 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		params.Etc(etcPath, prefix)
 	}
 
+	// no more ContainerConfig paths beyond this point
+	if !s.Device {
+		params.Remount("/dev", syscall.MS_RDONLY)
+	}
+
 	return params, maps.Clone(s.Env), nil
 }