First off, I am using Bubblewrap as the sandboxing software, but I feel like it is a general mounting issue, than a bubblewrap one. I am trying to add bwrap into a sandbox wrapper called sandboxlib, the details are not important, other than the tests that are run.
One particular test tries to mount the sandbox / from "/foo/bar". This contains 2 sub-directories, data and bin.
The bin directory simply contains a simple binary called 'test-file-is-writable'.
If I run:
$ /usr/bin/bwrap --ro-bind /foo/bar / --tmpfs /data test-file-is-writable data/1/canary
Couldn't open data/1/canary for writing.
HOWEVER, mounting / as writable works
$ /usr/bin/bwrap --bind /foo/bar / --tmpfs /data test-file-is-writable data/1/canary
Wrote data to data/1/canary.
However, I am only wanting /data to be writable, and assuming the rest of / to be ro
Adding in a remount as readonly still doesn't fix things
$ /usr/bin/bwrap --ro-bind /foo/bar / --tmpfs /data --remount-ro / test-file-is-writable data/1/canary
Couldn't open data/1/canary for writing.
Debugging this further, I added in mounts/paths required to drop into an interactive shell inside the sandbox
$ /usr/bin/bwrap --bind /foo/bar / --tmpfs /data --ro-bind /lib /lib --ro-bind /lib64 /lib64 --ro-bind /bin /usr/bin --remount-ro / bash
Running a simple ls of / shows everything is mounted as expected. Testing r/w is all fine. The issue, however, is the /data directory is totally empty (other than the output of my 'touch /data/testwrite'). Note the original /data partition I wanted to mount, actually contains files.
Q. Am I not understanding the mounting here? Or are the tests wrong? My only work around I can see is to copy over files from the original ro /data to the newly write-mounted /data
