When the --dev option is used, the 'mount' command cannot be used inside
the container, even when permissions would appear to allow it. A script
that demonstrates this is attached:
$ ./bwrap-test.sh
bash-5.2$ mount -t tmpfs x /tmp
mount: /tmp: must be superuser to use mount.
dmesg(1) may have more information after failed mount system call.
bash-5.2$ exit
exit
$ ./bwrap-test.sh -a
bash-5.2$ mount -t tmpfs x /tmp
bash-5.2$ exit
exit
$
When "-a" is used, "--dev-bind /dev /dev" replaces "--dev /dev", and the
"mount" command works. This is kind of the opposite of what I'd expect,
as --dev seems safer than a full --dev-bind. Nothing is logged to dmesg
either way.
A work-around is to use something like "--dev-bind /dev /real-dev", then
bind-mount chosen devices to a new /dev tree before unmounting /real-dev
("umount --no-mtab --lazy /real-dev" seems to work).
- Michael