From 04a1815319a5c4716a1b199cf8494e126c5ebfa8 Mon Sep 17 00:00:00 2001
From: Jake Hillion <jake@hillion.co.uk>
Date: Sat, 21 May 2022 16:05:00 +0100
Subject: [PATCH] fixed missing dev null

---
 src/spawner/mod.rs |  2 ++
 src/void.rs        | 30 ++++++++++++++++++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/spawner/mod.rs b/src/spawner/mod.rs
index 77f28cc..f495fb7 100644
--- a/src/spawner/mod.rs
+++ b/src/spawner/mod.rs
@@ -326,6 +326,8 @@ impl<'a> Spawner<'a> {
         self.mount_entrypoint(builder, self.binary)?;
         self.forward_mounts(builder, environment, args);
         self.forward_files(builder, args);
+
+        builder.mount("/dev/null", "/dev/null");
         builder.mount("/proc", "/proc").remount_proc();
 
         Ok(())
diff --git a/src/void.rs b/src/void.rs
index 10da7e6..3b575bc 100644
--- a/src/void.rs
+++ b/src/void.rs
@@ -106,7 +106,9 @@ impl VoidBuilder {
                 debug!("voiding user namespace...");
                 self.void_user_namespace(parent_uid, parent_gid)?; // first to regain full capabilities
 
-                debug!("voiding file descriptors...");
+                debug!("voiding mount namespace...");
+                self.void_mount_namespace()?;
+                debug!("voiding file descriptors..."); // occur after mount to unmount /dev/null
                 self.void_file_descriptors()?;
 
                 debug!("voiding ipc namespace...");
@@ -117,8 +119,6 @@ impl VoidBuilder {
                 self.void_network_namespace()?;
                 debug!("voiding pid namespace...");
                 self.void_pid_namespace()?;
-                debug!("voiding mount namespace...");
-                self.void_mount_namespace()?;
                 debug!("voiding cgroup namespace...");
                 self.void_cgroup_namespace()?;
 
@@ -255,7 +255,18 @@ impl VoidBuilder {
         std::env::set_current_dir(&new_root)?;
 
         trace!("creating bind mounts before unmounting");
-        for (src, dst) in &self.mounts {
+
+        let standard_dev_null = if self.mounts.contains_key(&PathBuf::from("/dev/null")) {
+            None
+        } else {
+            Some((PathBuf::from("/dev/null"), PathBuf::from("/dev/null")))
+        };
+
+        for (src, dst) in self
+            .mounts
+            .iter()
+            .chain(standard_dev_null.as_ref().map(|(x, y)| (x, y)))
+        {
             let mut src = old_root.join(src.strip_prefix("/").unwrap_or(src));
             let dst = new_root.join(dst.strip_prefix("/").unwrap_or(dst));
 
@@ -397,6 +408,8 @@ impl VoidBuilder {
             let mut nullfd: Option<File> = None;
             for stdfd in &[0, 1, 2] {
                 if !keep.contains(stdfd) {
+                    trace!("voiding stdfd {}", stdfd);
+
                     let fd = nullfd
                         .take()
                         .map(Ok)
@@ -412,6 +425,15 @@ impl VoidBuilder {
             }
         }
 
+        if !self.mounts.contains_key(&PathBuf::from("/dev/null")) {
+            debug!("unmount /dev/null after voiding file descriptors");
+
+            umount2("/dev/null", MntFlags::MNT_DETACH).map_err(|e| Error::Nix {
+                msg: "umount2",
+                src: e,
+            })?;
+        }
+
         for fd in keep.as_ref() {
             let mut flags = FdFlag::from_bits_truncate(
                 nix::fcntl::fcntl(*fd, FcntlArg::F_GETFD).map_err(|e| Error::Nix {
-- 
2.46.0