[Req] Extend root share to mount temporary folders

[xiota]

Description

Related to #61. Extend root share to mount temporary folders, using bwrap --tmpfs. For reference, from man bwrap:

 --tmpfs DEST
      Mount new tmpfs on DEST. If the previous option was --perms, it sets
      the mode of the tmpfs. Otherwise, the tmpfs has mode 0755. If the
      previous option was --size, it sets the size in bytes of the tmpfs.
      Otherwise, the tmpfs has the default size.

This is useful to automatically discard temporary data (~/.cache) and to prevent sensitive data from being written to disk.

[rusty-snake]

prevent sensitive data from being written to disk.

swap

[igo95862]

prevent sensitive data from being written to disk.

swap

I wonder if memory.swap.max cgroups memory controller could be used to disable swap: https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html#memory

[rusty-snake]

• Bubblejail: Limited options, maybe memory.swap.max.
• Bubblewrap: Could add a --ramfs or --noswap --tmpfs.
• Sysadmin: Can configure system to use only zram swap.

[igo95862]

I don't see how Bubblewrap can add --noswap. It does not setup cgroups. I actually had several ideas on adding the cgroups support for bubblejail.

[rusty-snake]

Well it has already --perms and --size. I see no reason why --noswap should not be possible.

tmpfs blocks may be swapped out, when there is a shortage of memory. tmpfs has a mount option to disable its use of swap:

noswap	Disables swap. Remounts must respect the original settings. By default swap is enabled.

^{src: https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html}

[igo95862]

I didn't know there was such option. Although it seems to be very new: https://lwn.net/Articles/924251/ https://www.spinics.net/lists/linux-man/msg25288.html

[xiota]

--tmpfs works with new debug service.

I don't see any --noswap option at https://github.com/containers/bubblewrap