maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

container/initdev: mount tmpfs on shm for ro dev

Browse Source 
Programs expect /dev/shm to be a writable tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-08-26 03:15:32 +09:00
parent 07194c74cb
commit 9bc8532d56
12 changed files with 30 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
container/initdev.go
View File

@@ -72,8 +72,9 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
}
}
devShmPath := path.Join(target, "shm")
devPtsPath := path.Join(target, "pts")
for _, name := range []string{path.Join(target, "shm"), devPtsPath} {
for _, name := range []string{devShmPath, devPtsPath} {
if err := k.mkdir(name, state.ParentPerm); err != nil {
return wrapErrSelf(err)
}
@@ -117,8 +118,12 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
if d.Write {
return nil
}
return wrapErrSuffix(k.remount(target, MS_RDONLY),
fmt.Sprintf("cannot remount %q:", target))
if err := k.remount(target, MS_RDONLY); err != nil {
return wrapErrSuffix(k.remount(target, MS_RDONLY),
fmt.Sprintf("cannot remount %q:", target))
}
return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
}
func (d *MountDevOp) Is(op Op) bool {