From 2e0a4795f6a0016832d8fc51884abce4d01a8a58 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Mon, 25 Aug 2025 23:24:54 +0900
Subject: [PATCH] container/initbind: optional ensure host directory

This is used for ensuring persistent data directories specific to the container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/initbind.go      | 16 ++++++++++++++--
 container/initbind_test.go | 22 ++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/container/initbind.go b/container/initbind.go
index 18f4493..bda8cb6 100644
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -23,8 +23,6 @@ type BindMountOp struct {
 	Flags int
 }
 
-func (b *BindMountOp) Valid() bool { return b != nil && b.Source != nil && b.Target != nil }
-
 const (
 	// BindOptional skips nonexistent host paths.
 	BindOptional = 1 << iota
@@ -32,9 +30,23 @@ const (
 	BindWritable
 	// BindDevice allows access to devices (special files) on this filesystem.
 	BindDevice
+	// BindEnsure attempts to create the host path if it does not exist.
+	BindEnsure
 )
 
+func (b *BindMountOp) Valid() bool {
+	return b != nil &&
+		b.Source != nil && b.Target != nil &&
+		b.Flags&(BindOptional|BindEnsure) != (BindOptional|BindEnsure)
+}
+
 func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
+	if b.Flags&BindEnsure != 0 {
+		if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
+			return wrapErrSelf(err)
+		}
+	}
+
 	if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
 		if os.IsNotExist(err) && b.Flags&BindOptional != 0 {
 			// leave sourceFinal as nil
diff --git a/container/initbind_test.go b/container/initbind_test.go
index 1de47de..aedbad5 100644
--- a/container/initbind_test.go
+++ b/container/initbind_test.go
@@ -47,6 +47,27 @@ func TestBindMountOp(t *testing.T) {
 			{"ensureFile", expectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0700)}, nil, errUnique},
 		}, errUnique},
 
+		{"mkdirAll ensure", new(Params), &BindMountOp{
+			Source: MustAbs("/bin/"),
+			Target: MustAbs("/bin/"),
+			Flags:  BindEnsure,
+		}, []kexpect{
+			{"mkdirAll", expectArgs{"/bin/", os.FileMode(0700)}, nil, errUnique},
+		}, wrapErrSelf(errUnique), nil, nil},
+
+		{"success ensure", new(Params), &BindMountOp{
+			Source: MustAbs("/bin/"),
+			Target: MustAbs("/usr/bin/"),
+			Flags:  BindEnsure,
+		}, []kexpect{
+			{"mkdirAll", expectArgs{"/bin/", os.FileMode(0700)}, nil, nil},
+			{"evalSymlinks", expectArgs{"/bin/"}, "/usr/bin", nil},
+		}, nil, []kexpect{
+			{"stat", expectArgs{"/host/usr/bin"}, isDirFi(true), nil},
+			{"mkdirAll", expectArgs{"/sysroot/usr/bin", os.FileMode(0700)}, nil, nil},
+			{"bindMount", expectArgs{"/host/usr/bin", "/sysroot/usr/bin", uintptr(0x4005), false}, nil, nil},
+		}, nil},
+
 		{"success device ro", new(Params), &BindMountOp{
 			Source: MustAbs("/dev/null"),
 			Target: MustAbs("/dev/null"),
@@ -134,6 +155,7 @@ func TestBindMountOp(t *testing.T) {
 		{"zero", new(BindMountOp), false},
 		{"nil source", &BindMountOp{Target: MustAbs("/")}, false},
 		{"nil target", &BindMountOp{Source: MustAbs("/")}, false},
+		{"flag optional ensure", &BindMountOp{Source: MustAbs("/"), Target: MustAbs("/"), Flags: BindOptional | BindEnsure}, false},
 		{"valid", &BindMountOp{Source: MustAbs("/"), Target: MustAbs("/")}, true},
 	})