BUG: Bind-mount even more files for better OOTBE

kernc · kernc · commit 9a44326b5f97 · 2025-10-31T03:43:02.000+01:00
diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ process invocations via **`$BWRAP_ARGS` environment variable**. E.g.:
 
 ```sh
 BWRAP_ARGS='--bind /opt /opt' \
-    python -c 'import os; print(os.listdir("/opt"))'
+    sandbox-run ./NVIDIA-Driver-Installer.run
 ```
 
 For details, see `bubblewrap --help` or [`man 1 bwrap`](https://manpages.debian.org/unstable/bwrap).
@@ -104,6 +104,7 @@ is lost upon container termination.
 
 See `bwrap` switches [`--seccomp FD` and `--add-seccomp-fd FD`](https://manpages.debian.org/unstable/bubblewrap/bwrap.1.en.html#:~:text=Lockdown%20options%3A-,--seccomp%20fd,-Load%20and%20use).
 
+
 #### Runtime monitoring
 
 If **environment variable `VERBOSE=`** is set to a non-empty value,
diff --git a/sandbox-run b/sandbox-run
@@ -40,21 +40,28 @@ split_args_by_lf () { printf '%s' "$1" | case "$1" in *$lf*) cat ;; *) tr ' ' '\
 
 # RO-bind select paths
 paths='
+/bin
 /etc/alternatives
 /etc/resolv.conf
 /etc/ssl
 /etc/hosts
 /etc/pki
+/etc/pkcs11
 /etc/ld.so.cache
+/etc/ld.so.conf.d
 /etc/localtime
-/etc/mtab
 /etc/os-release
 /etc/timezone
 /lib
 /lib64
 /run/dbus/system_bus_socket
+/sbin
 /usr
 '
+# ld.so.conf.d: https://containertoolbx.org/doc/#ldconfig8
+RW_paths='
+/etc/ld.so.conf.d
+'
 
 # Support BWRAP_ARGS passed to the process as well as via .env file
 prev_BWRAP_ARGS="${BWRAP_ARGS:-}"
@@ -97,16 +104,18 @@ warn "exec bwrap [...] $formatted_cmdline"
 
 # shellcheck disable=SC2046
 bwrap \
-    --dir /tmp \
+    --tmpfs /tmp \
     --tmpfs /run \
     --proc /proc \
     --dev /dev \
+    --symlink /run /var/run \
     --symlink /tmp /var/tmp \
     --symlink /usr/bin /bin \
     --symlink /usr/bin /sbin \
     --dev-bind-try /dev/fuse /dev/fuse \
     --ro-bind "$bin" "$bin" \
     $(set +x; for path in $paths; do [ ! -e "$path" ] || printf -- '--ro-bind-try %s %s ' "$path" "$path"; done) \
+    $(set +x; for path in $RW_paths; do [ ! -e "$path" ] || printf -- '--bind-try %s %s ' "$path" "$path"; done) \
     --bind "$cwd" "$cwd" \
     --chdir "$cwd" \
     --clearenv \
diff --git a/tests/smoke-test.sh b/tests/smoke-test.sh
@@ -3,7 +3,7 @@ set -eu
 
 . "${0%/*}/_init.sh"
 
-sandbox-run sh -c 'awk'  # Awk is available
+sandbox-run sh -c 'awk'  # Awk via /etc/alternatives
 
 sandbox-run sh -c 'touch "$HOME/success"'
 
