maemachinebroke/hakurei
1
0
Fork 0
forked from security/hakurei
Code Pull Requests Activity

internal/app: mount /dev/shm early

Browse Source 
This avoids covering /dev/shm mounts from hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-09-14 01:35:17 +09:00
parent 3f25c3f0af
commit ca247b8037
11 changed files with 26 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/app/container.go
View File

@@ -98,6 +98,8 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
} else {
params.Bind(container.AbsFHSDev, container.AbsFHSDev, container.BindWritable|container.BindDevice)
}
// /dev is mounted readonly later on, this prevents /dev/shm from going readonly with it
params.Tmpfs(container.AbsFHSDev.Append("shm"), 0, 01777)
/* retrieve paths and hide them if they're made available in the sandbox;
@@ -230,9 +232,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
// no more ContainerConfig paths beyond this point
if !s.Device {
params.
Remount(container.AbsFHSDev, syscall.MS_RDONLY).
Tmpfs(container.AbsFHSDev.Append("shm"), 0, 01777)
params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)
}
return params, maps.Clone(s.Env), nil