From e0533aaa684ecdc80c6542233570c30f0fcec06a Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 20 Aug 2025 01:03:49 +0900
Subject: [PATCH] container/autoroot: filter dentry with empty name

This is unreachable, but nice to have just in case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/autoroot.go      |  2 ++
 container/autoroot_test.go | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 container/autoroot_test.go

diff --git a/container/autoroot.go b/container/autoroot.go
index 215a7bb..6145ec6 100644
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -89,6 +89,8 @@ func IsAutoRootBindable(name string) bool {
 	case "mnt":
 	case "etc":
 
+	case "": // guard against accidentally binding /
+
 	default:
 		return true
 	}
diff --git a/container/autoroot_test.go b/container/autoroot_test.go
new file mode 100644
index 0000000..7e9d147
--- /dev/null
+++ b/container/autoroot_test.go
@@ -0,0 +1,26 @@
+package container
+
+import "testing"
+
+func TestIsAutoRootBindable(t *testing.T) {
+	testCases := []struct {
+		name string
+		want bool
+	}{
+		{"proc", false},
+		{"dev", false},
+		{"tmp", false},
+		{"mnt", false},
+		{"etc", false},
+		{"", false},
+
+		{"var", true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := IsAutoRootBindable(tc.name); got != tc.want {
+				t.Errorf("IsAutoRootBindable: %v, want %v", got, tc.want)
+			}
+		})
+	}
+}