Mounting tmpfs on top of a symlink fails

containers / bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects

Other

3.97k stars 237 forks source link

Mounting tmpfs on top of a symlink fails #275

Open jamesderlin opened 6 years ago

jamesderlin commented 6 years ago

Using bwrap --tmpfs PATH ... where PATH happens to be a symlink to a directory fails with:

bwrap: Can't mount tmpfs on /newroot/PATH: No such file or directory

As an example, see https://github.com/flatpak/flatpak/issues/1032

The flatpak developers worked around this by dereferencing the symlink first and mounting a tmpfs on top of the symlink's target, but perhaps bwrap should (perhaps optionally) do this itself so that other users don't need to reimplement that workaround everywhere.

cgwalters commented 6 years ago

There's another issue where this came up but it's a lot harder than it seems, because we need to consider two situations:

1) The symlink points to a target that exists in the container root (or will be exposed by a different bind mount) 2) The symlink points to a target that won't exist in the container root

In the first situation, we could actually break things by chasing the link unconditionally.