container: enforce nonrepeatable autoetc and autoroot

These keep track of some internal state, and they don't make sense to have multiple instances of anyway, so instead of dealing with that, just make them nonrepetable. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-17 01:43:11 +09:00
parent 8aa65f28c6
commit 9c1a5d43ba
3 changed files with 18 additions and 1 deletions
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -56,6 +56,11 @@ func (r *AutoRootOp) early(state *setupState) error {
 }

 func (r *AutoRootOp) apply(state *setupState) error {
+	if state.nonrepeatable&nrAutoRoot != 0 {
+		return msg.WrapErr(syscall.EINVAL, "autoroot is not repeatable")
+	}
+	state.nonrepeatable |= nrAutoRoot
+
 	for _, op := range r.resolved {
 		msg.Verbosef("%s %s", op.prefix(), op)
 		if err := op.apply(state); err != nil {