container/initdev: mount tmpfs on shm for ro dev

Programs expect /dev/shm to be a writable tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>

container/container_test.go

@@ -100,6 +100,7 @@ var containerTestCases = []struct {
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
+			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
 		1971, 100, nil, 0, seccomp.PresetStrict},
 
@@ -116,6 +117,7 @@ var containerTestCases = []struct {
 			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
+			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
 		1971, 100, nil, 0, seccomp.PresetStrict},
 

container/initdev.go

@@ -72,8 +72,9 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}
 
+	devShmPath := path.Join(target, "shm")
 	devPtsPath := path.Join(target, "pts")
-	for _, name := range []string{path.Join(target, "shm"), devPtsPath} {
+	for _, name := range []string{devShmPath, devPtsPath} {
 		if err := k.mkdir(name, state.ParentPerm); err != nil {
 			return wrapErrSelf(err)
 		}
@@ -117,8 +118,12 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	if d.Write {
 		return nil
 	}
-	return wrapErrSuffix(k.remount(target, MS_RDONLY),
-		fmt.Sprintf("cannot remount %q:", target))
+
+	if err := k.remount(target, MS_RDONLY); err != nil {
+		return wrapErrSuffix(k.remount(target, MS_RDONLY),
+			fmt.Sprintf("cannot remount %q:", target))
+	}
+	return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
 }
 
 func (d *MountDevOp) Is(op Op) bool {

container/initdev_test.go

@@ -645,6 +645,7 @@ func TestMountDevOp(t *testing.T) {
 			{"readlink", expectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil},
 			{"bindMount", expectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil},
 			{"remount", expectArgs{"/sysroot/dev", uintptr(1)}, nil, nil},
+			{"mountTmpfs", expectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil},
 		}, nil},
 
 		{"success rw", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
@@ -715,6 +716,7 @@ func TestMountDevOp(t *testing.T) {
 			{"mkdir", expectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil},
 			{"mount", expectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil},
 			{"remount", expectArgs{"/sysroot/dev", uintptr(1)}, nil, nil},
+			{"mountTmpfs", expectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil},
 		}, nil},
 	})
 

container/mount.go

@@ -43,6 +43,8 @@ const (
 	// Note that any source value is allowed when fstype is [FstypeOverlay].
 	SourceOverlay = "overlay"
 
+	// SourceTmpfs is used when mounting tmpfs.
+	SourceTmpfs = "tmpfs"
 	// SourceTmpfsRootfs is used when mounting the tmpfs instance backing the intermediate root.
 	SourceTmpfsRootfs = "rootfs"
 	// SourceTmpfsDevtmpfs is used when mounting tmpfs representing a subset of host devtmpfs.