container/ops: mount dev readonly

There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-03 19:18:53 +09:00
parent 7b416d47dc
commit 38245559dc
10 changed files with 36 additions and 15 deletions
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@@ -118,7 +118,7 @@ var testCasesNixos = []sealTestCase{
 			Ops: new(container.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev", true).
+				DevWritable("/dev", true).
 				Bind("/bin", "/bin", 0).
 				Bind("/usr/bin", "/usr/bin", 0).
 				Bind("/nix/store", "/nix/store", 0).
@@ -131,6 +131,7 @@ var testCasesNixos = []sealTestCase{
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
 				Bind("/dev/dri", "/dev/dri", container.BindDevice|container.BindWritable|container.BindOptional).
 				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
+				Remount("/dev", syscall.MS_RDONLY).
 				Tmpfs("/run/user", 4096, 0755).
 				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", container.BindWritable).
 				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", container.BindWritable).
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@@ -46,12 +46,13 @@ var testCasesPd = []sealTestCase{
 				Root("/", "4a450b6596d7bc15bd01780eb9a607ac", container.BindWritable).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev", true).
+				DevWritable("/dev", true).
 				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
 				Readonly("/var/run/nscd", 0755).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
+				Remount("/dev", syscall.MS_RDONLY).
 				Tmpfs("/run/user", 4096, 0755).
 				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", container.BindWritable).
 				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable).
@@ -180,13 +181,14 @@ var testCasesPd = []sealTestCase{
 				Root("/", "ebf083d1b175911782d413369b64ce7c", container.BindWritable).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev", true).
+				DevWritable("/dev", true).
 				Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional).
 				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
 				Readonly("/var/run/nscd", 0755).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
+				Remount("/dev", syscall.MS_RDONLY).
 				Tmpfs("/run/user", 4096, 0755).
 				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", container.BindWritable).
 				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", container.BindWritable).
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@@ -85,7 +85,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		Tmpfs(hst.Tmp, 1<<12, 0755)

 	if !s.Device {
-		params.Dev("/dev", true)
+		params.DevWritable("/dev", true)
 	} else {
 		params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice)
 	}
@@ -239,6 +239,11 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		params.Etc(etcPath, prefix)
 	}

+	// no more ContainerConfig paths beyond this point
+	if !s.Device {
+		params.Remount("/dev", syscall.MS_RDONLY)
+	}
+
 	return params, maps.Clone(s.Env), nil
 }