sane-sandboxed: bwrap: expose symlinks to the sandbox directly, instead of binding
some things (e.g. `sane-open`) require the symlink, and lose too much info when working only with the bind. having the sandboxed environment stay similar to the out env sould make debugging things simpler
This commit is contained in:
parent
d148b19767
commit
f7a25d1421
|
|
@ -564,7 +564,12 @@ bwrapIngestPath() {
|
|||
# may be possible to place ever mount in a subdir, and mount the super dir?
|
||||
# or maybe configure remote mounts to somehow never hang.
|
||||
# test -r "$1" && bwrapFlags+=("--dev-bind-try" "$1" "$1")
|
||||
bwrapFlags+=("--dev-bind-try" "$1" "$1")
|
||||
local target="$(readlink "$1")"
|
||||
if [ -n "$target" ]; then
|
||||
bwrapFlags+=("--symlink" "$target" "$1")
|
||||
else
|
||||
bwrapFlags+=("--dev-bind-try" "$1" "$1")
|
||||
fi
|
||||
|
||||
# default to virtualizing a few directories in a way that's safe (doesn't impact outside environment)
|
||||
# and maximizes compatibility with apps. but if explicitly asked for the directory, then remove the virtual
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user