Improve sandboxing

squashfs-start.sh

@@ -26,7 +26,7 @@ working_dir=/tmp/"$(basename "${script}")"_"${USER}"_${RANDOM}
 # a problem with mounting the squashfs image due to an incorrectly calculated offset.
 
 # The size of this script
-scriptsize=11912
+scriptsize=12030
 
 # The size of the utils.tar archive
 # utils.tar contains bwrap and squashfuse binaries
@@ -140,7 +140,10 @@ run_bwrap () {
 
 	if [ -n "$SANDBOX" ]; then
 		echo "Filesystem sandbox is enabled"
-		dirs="--tmpfs /home --tmpfs /opt --tmpfs /mnt --dir ${HOME}"
+
+		dirs="--tmpfs /home --dir ${HOME} --tmpfs /opt --tmpfs /mnt \
+			--tmpfs /media --tmpfs /var --tmpfs /run --symlink /run /var/run \
+			--bind-try /run/user /run/user --bind-try /run/dbus /run/dbus"
 
 		if [ -n "${HOME_DIR}" ]; then
 			echo "Set HOME to ${HOME_DIR}"
@@ -150,7 +153,8 @@ run_bwrap () {
 #		unshare="--unshare-user-try --unshare-pid --unshare-uts --unshare-cgroup-try \
 #				--hostname Conty"
 	else
-		dirs="--bind /home /home --bind-try /mnt /mnt --bind-try /opt /opt --bind-try /media /media"
+		dirs="--bind-try /home /home --bind-try /mnt /mnt --bind-try /opt /opt \
+			--bind-try /media /media --bind-try /run /run --bind-try /var /var"
 	fi
 
 	if [ -n "$BIND" ]; then
@@ -168,17 +172,17 @@ run_bwrap () {
 	"${bwrap}" --ro-bind "${working_dir}"/mnt / \
 			--dev-bind /dev /dev \
 			--ro-bind /sys /sys \
-			--bind /run /run \
-			--bind /var /var \
-			--bind /tmp /tmp \
+			--bind-try /tmp /tmp \
+			--proc /proc \
 			--ro-bind-try /etc/resolv.conf /etc/resolv.conf \
 			--ro-bind-try /etc/hosts /etc/hosts \
 			--ro-bind-try /etc/nsswitch.conf /etc/nsswitch.conf \
 			--ro-bind-try /etc/passwd /etc/passwd \
 			--ro-bind-try /etc/group /etc/group \
-			--proc /proc \
 			--ro-bind-try /usr/local /usr/local \
-			${dirs} ${net} ${nvidia_driver_bind} \
+			${dirs} \
+			${net} \
+			${nvidia_driver_bind} \
 			--setenv PATH "${PATH}:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/lib/jvm/default/bin" \
 			"$@"
 }