container/initdev: mount tmpfs on shm for ro dev

Programs expect /dev/shm to be a writable tmpfs. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-26 03:15:32 +09:00
parent 07194c74cb
commit 9bc8532d56
12 changed files with 30 additions and 9 deletions
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@@ -148,6 +148,7 @@ var testCasesNixos = []sealTestCase{
 				Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1").
 				Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable|container.BindEnsure).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/1"), m("/run/user/1971"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/1"), m("/tmp/"), container.BindWritable).
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@@ -53,6 +53,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/0"), m("/tmp/"), container.BindWritable).
@@ -189,6 +190,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/9"), m("/tmp/"), container.BindWritable).
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@@ -233,7 +233,9 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid

 	// no more ContainerConfig paths beyond this point
 	if !s.Device {
-		params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)
+		params.
+			Remount(container.AbsFHSDev, syscall.MS_RDONLY).
+			Tmpfs(container.AbsFHSDev.Append("shm"), 0, 01777)
 	}

 	return params, maps.Clone(s.Env), nil