From 07181138e5abdf78dfcd6e9100362349ec4a81e8 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Mon, 17 Mar 2025 21:53:31 +0900
Subject: [PATCH] sandbox/mount: pass absolute path

This should never be used unless there is a good reason to, like using a file in the intermediate root.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 sandbox/mount.go      | 8 ++++++--
 sandbox/sequential.go | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/sandbox/mount.go b/sandbox/mount.go
index e2cc290..216a585 100644
--- a/sandbox/mount.go
+++ b/sandbox/mount.go
@@ -11,9 +11,11 @@ import (
 const (
 	BindOptional = 1 << iota
 	BindSource
-	BindRecursive
 	BindWritable
 	BindDevice
+
+	bindAbsolute
+	bindRecursive
 )
 
 func bindMount(src, dest string, flags int) error {
@@ -39,6 +41,8 @@ func bindMount(src, dest string, flags int) error {
 	} else if flags&BindOptional != 0 {
 		return msg.WrapErr(syscall.EINVAL,
 			"flag source excludes optional")
+	} else if flags&bindAbsolute != 0 {
+		source = src
 	} else {
 		source = toHost(src)
 	}
@@ -60,7 +64,7 @@ func bindMount(src, dest string, flags int) error {
 	}
 
 	var mf uintptr = syscall.MS_SILENT | syscall.MS_BIND
-	if flags&BindRecursive != 0 {
+	if flags&bindRecursive != 0 {
 		mf |= syscall.MS_REC
 	}
 	if flags&BindWritable == 0 {
diff --git a/sandbox/sequential.go b/sandbox/sequential.go
index 2a38c89..1ffe4e7 100644
--- a/sandbox/sequential.go
+++ b/sandbox/sequential.go
@@ -36,7 +36,7 @@ func (b *BindMount) String() string {
 	return fmt.Sprintf("%q on %q flags %#x", b.Source, b.Target, b.Flags&BindWritable)
 }
 func (f *Ops) Bind(source, target string, flags int) *Ops {
-	*f = append(*f, &BindMount{source, target, flags | BindRecursive})
+	*f = append(*f, &BindMount{source, target, flags | bindRecursive})
 	return f
 }