From 54da6ce03d33f6503a6753813de825f3d0447903 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 7 Jan 2026 01:03:49 +0900
Subject: [PATCH] internal/pkg: respect mount order for overlay temp

Setting it up after everything else prevents covering files in /tmp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/pkg/exec.go          | 46 +++++++++++++++++------------------
 internal/pkg/testdata/main.go | 16 ++++++------
 2 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/internal/pkg/exec.go b/internal/pkg/exec.go
index 289b7f9..6e050b1 100644
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -186,11 +186,15 @@ func (a *execArtifact) cure(c *CureContext, hostNet bool) (err error) {
 		cures = runtime.NumCPU()
 	}
 
+	overlayTempIndex := -1
 	paths := make([][2]*check.Absolute, len(a.paths))
 	for i, p := range a.paths {
 		if p.P == nil || p.A == nil {
 			return os.ErrInvalid
 		}
+		if p.P.Is(fhs.AbsTmp) {
+			overlayTempIndex = i
+		}
 		paths[i][1] = p.P
 	}
 
@@ -275,14 +279,26 @@ func (a *execArtifact) cure(c *CureContext, hostNet bool) (err error) {
 	if len(paths) > 0 && paths[0][1].Is(fhs.AbsRoot) {
 		z.OverlayEphemeral(fhs.AbsRoot, paths[0][0])
 		paths = paths[1:]
+		overlayTempIndex--
 	}
-	var overlayTemp *check.Absolute
-	for _, b := range paths {
-		if b[1].Is(fhs.AbsTmp) {
-			if overlayTemp != nil {
-				z.Bind(overlayTemp, fhs.AbsTmp, 0)
+
+	for i, b := range paths {
+		if i == overlayTempIndex {
+			temp := c.GetTempDir()
+			tempUpper := temp.Append("upper")
+			if err = os.MkdirAll(tempUpper.String(), 0700); err != nil {
+				return
 			}
-			overlayTemp = b[0]
+			tempWork := temp.Append("work")
+			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
+				return
+			}
+			z.Overlay(
+				fhs.AbsTmp,
+				tempUpper,
+				tempWork,
+				b[0],
+			)
 			continue
 		}
 		z.Bind(b[0], b[1], 0)
@@ -293,28 +309,12 @@ func (a *execArtifact) cure(c *CureContext, hostNet bool) (err error) {
 		fhs.AbsRoot.Append("work"),
 		std.BindWritable|std.BindEnsure,
 	)
-	if overlayTemp == nil {
+	if overlayTempIndex < 0 {
 		z.Bind(
 			c.GetTempDir(),
 			fhs.AbsTmp,
 			std.BindWritable|std.BindEnsure,
 		)
-	} else {
-		temp := c.GetTempDir()
-		tempUpper := temp.Append("upper")
-		if err = os.MkdirAll(tempUpper.String(), 0700); err != nil {
-			return
-		}
-		tempWork := temp.Append("work")
-		if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
-			return
-		}
-		z.Overlay(
-			fhs.AbsTmp,
-			tempUpper,
-			tempWork,
-			overlayTemp,
-		)
 	}
 	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
 
diff --git a/internal/pkg/testdata/main.go b/internal/pkg/testdata/main.go
index 4f3d047..6a884a3 100644
--- a/internal/pkg/testdata/main.go
+++ b/internal/pkg/testdata/main.go
@@ -144,22 +144,24 @@ func main() {
 		}
 	}
 
+	if overlayTmp {
+		next() // testtool artifact
+		if m.Root != "/" || m.Target != "/tmp" ||
+			m.Source != "overlay" || m.FsType != "overlay" {
+			log.Fatal("unexpected temp mount entry")
+		}
+	}
+
 	next()
 	if path.Base(m.Root) != ident || m.Target != "/work" {
 		log.Fatal("unexpected work mount entry")
 	}
 
-	next()
 	if !overlayTmp {
+		next()
 		if path.Base(m.Root) != ident || m.Target != "/tmp" {
 			log.Fatal("unexpected temp mount entry")
 		}
-	} else {
-		// testtool artifact
-		if m.Root != "/" || m.Target != "/tmp" ||
-			m.Source != "overlay" || m.FsType != "overlay" {
-			log.Fatal("unexpected temp mount entry")
-		}
 	}
 
 	next()