From c818ea649a416b35040bee85f1943e21065cfb51 Mon Sep 17 00:00:00 2001 From: Ophestra Umiker Date: Sun, 13 Oct 2024 00:07:48 +0900 Subject: [PATCH] app/seal: skip /mnt in permissive default This directory usually contains temporarily mounted stuff and shouldn't get into the sandbox. Signed-off-by: Ophestra Umiker --- internal/app/seal.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/app/seal.go b/internal/app/seal.go index 4a211db..fd42af6 100644 --- a/internal/app/seal.go +++ b/internal/app/seal.go @@ -134,6 +134,7 @@ func (a *app) Seal(config *Config) error { case "proc": case "dev": case "run": + case "mnt": default: p := "/" + name b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})