Base: Prevent a BuggieBox container from being exposed to /sys

/sys has lots of interesting information that an ordinary program in a container session shouldn't really care about, such as possible major and minor numbers of potentially exposed device files, etc. It seems like we don't really need /sys at the moment, so there's no harmful impact by this change. The risk of keeping /sys is probably low anyway, because, for example, a jailed process can't open most device files, even if it "sees" them in /sys. However, as another line of defense, let's just not mount /sys in such environment, if possible.
2026-04-25 17:15:42 +02:00 · 2026-02-22 22:17:59 +02:00
parent 15edb02847
commit f750bab4ce
1 changed files with 0 additions and 10 deletions
--- a/Base/usr/share/runc/full-buggiebox-container.json
+++ b/Base/usr/share/runc/full-buggiebox-container.json
@@ -118,16 +118,6 @@
            "source": null,
            "target": "/proc",
            "fs_type": "ProcFS"
-        },
-        {
-            "type": "directory",
-            "target": "/sys/"
-        },
-        {
-            "type": "mount",
-            "source": null,
-            "target": "/sys",
-            "fs_type": "SysFS"
        }
    ]
 }