internal/app: mount /dev/shm early

This avoids covering /dev/shm mounts from hst. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-09-14 01:35:17 +09:00
parent 3f25c3f0af
commit ca247b8037
11 changed files with 26 additions and 18 deletions
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@@ -135,6 +135,7 @@ var testCasesNixos = []sealTestCase{
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
+				Tmpfs(m("/dev/shm"), 0, 01777).
 				Bind(m("/bin"), m("/bin"), 0).
 				Bind(m("/usr/bin/"), m("/usr/bin/"), 0).
 				Bind(m("/nix/store"), m("/nix/store"), 0).
@@ -149,7 +150,6 @@ var testCasesNixos = []sealTestCase{
 				Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1").
 				Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable|container.BindEnsure).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
-				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/1"), m("/run/user/1971"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/1"), m("/tmp/"), container.BindWritable).
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@@ -48,13 +48,13 @@ var testCasesPd = []sealTestCase{
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
+				Tmpfs(m("/dev/shm"), 0, 01777).
 				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
 				Readonly(m("/var/run/nscd"), 0755).
 				Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
-				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/0"), m("/tmp/"), container.BindWritable).
@@ -184,6 +184,7 @@ var testCasesPd = []sealTestCase{
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
+				Tmpfs(m("/dev/shm"), 0, 01777).
 				Bind(m("/dev/dri"), m("/dev/dri"), container.BindWritable|container.BindDevice|container.BindOptional).
 				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
 				Readonly(m("/var/run/nscd"), 0755).
@@ -191,7 +192,6 @@ var testCasesPd = []sealTestCase{
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
-				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/9"), m("/tmp/"), container.BindWritable).
--- a/internal/app/container.go
+++ b/internal/app/container.go
@@ -98,6 +98,8 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	} else {
 		params.Bind(container.AbsFHSDev, container.AbsFHSDev, container.BindWritable|container.BindDevice)
 	}
+	// /dev is mounted readonly later on, this prevents /dev/shm from going readonly with it
+	params.Tmpfs(container.AbsFHSDev.Append("shm"), 0, 01777)

 	/* retrieve paths and hide them if they're made available in the sandbox;

@@ -230,9 +232,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid

 	// no more ContainerConfig paths beyond this point
 	if !s.Device {
-		params.
-			Remount(container.AbsFHSDev, syscall.MS_RDONLY).
-			Tmpfs(container.AbsFHSDev.Append("shm"), 0, 01777)
+		params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)
 	}

 	return params, maps.Clone(s.Env), nil