Userland: Prevent a BuggieBox container from being exposed to /sys

supercomputer7 · supercomputer7 · commit 9f276042726a · 2026-02-22T22:17:59.000+02:00
/sys has lots of interesting information that an ordinary program in a
container session shouldn't really care about, such as possible major
and minor numbers of potentially exposed device files, etc.

It seems like we don't really need /sys at the moment, so there's no
harmful impact by this change.

The risk of keeping /sys is probably low anyway, because, for example,
a jailed process can't open most device files, even if it "sees" them
in /sys.
However, as another line of defense, let's just not mount /sys in such
environment, if possible.
diff --git a/Base/usr/share/runc/full-buggiebox-container.json b/Base/usr/share/runc/full-buggiebox-container.json
@@ -118,16 +118,6 @@
             "source": null,
             "target": "/proc",
             "fs_type": "ProcFS"
-        },
-        {
-            "type": "directory",
-            "target": "/sys/"
-        },
-        {
-            "type": "mount",
-            "source": null,
-            "target": "/sys",
-            "fs_type": "SysFS"
         }
     ]
 }

Original file line number	Diff line number	Diff line change
`@@ -118,16 +118,6 @@`
`118`	`118`	`"source": null,`
`119`	`119`	`"target": "/proc",`
`120`	`120`	`"fs_type": "ProcFS"`
`121`		`- },`
`122`		`- {`
`123`		`- "type": "directory",`
`124`		`- "target": "/sys/"`
`125`		`- },`
`126`		`- {`
`127`		`- "type": "mount",`
`128`		`- "source": null,`
`129`		`- "target": "/sys",`
`130`		`- "fs_type": "SysFS"`
`131`	`121`	`}`
`132`	`122`	`]`
`133`	`123`	`}`