bwrap: Bind-mount host /dev instead of creating fresh devtmpfs

crates/lib/src/bootloader.rs

@@ -122,21 +122,10 @@ pub(crate) fn install_via_bootupd(
         let mut bwrap_args = vec!["bootupctl"];
         bwrap_args.extend(bootupd_args);
 
-        // Collect partition paths first so they live long enough
-        let partition_paths: Vec<String> =
-            device.children.iter().flatten().map(|p| p.path()).collect();
-
-        let mut cmd = BwrapCmd::new(&target_root)
+        let cmd = BwrapCmd::new(&target_root)
             // Bind mount /boot from the physical target root so bootupctl can find
             // the boot partition and install the bootloader there
-            .bind(&boot_path, &"/boot")
-            // Bind the target block device inside the bwrap container so bootupctl can access it
-            .bind_device(&device_path);
-
-        // Also bind all partitions of the target block device
-        for part_path in &partition_paths {
-            cmd = cmd.bind_device(part_path);
-        }
+            .bind(&boot_path, &"/boot");
 
         // The $PATH in the bwrap env is not complete enough for some images
         // so we inject a reasonnable default.

crates/utils/src/bwrap.rs

@@ -17,8 +17,6 @@ pub struct BwrapCmd<'a> {
     chroot_path: Cow<'a, Utf8Path>,
     /// Bind mounts in format (source, target)
     bind_mounts: Vec<(&'a str, &'a str)>,
-    /// Device nodes to bind into the container
-    devices: Vec<&'a str>,
     /// Environment variables to set
     env_vars: Vec<(&'a str, &'a str)>,
 }
@@ -31,7 +29,6 @@ impl<'a> BwrapCmd<'a> {
         Self {
             chroot_path: Cow::Owned(Utf8PathBuf::from(&fd_path)),
             bind_mounts: Vec::new(),
-            devices: Vec::new(),
             env_vars: Vec::new(),
         }
     }
@@ -41,7 +38,6 @@ impl<'a> BwrapCmd<'a> {
         Self {
             chroot_path: Cow::Borrowed(path),
             bind_mounts: Vec::new(),
-            devices: Vec::new(),
             env_vars: Vec::new(),
         }
     }
@@ -57,12 +53,6 @@ impl<'a> BwrapCmd<'a> {
         self
     }
 
-    /// Bind a device node into the container.
-    pub fn bind_device(mut self, device: &'a str) -> Self {
-        self.devices.push(device);
-        self
-    }
-
     /// Set an environment variable for the command.
     pub fn setenv(mut self, key: &'a str, value: &'a str) -> Self {
         self.env_vars.push((key, value));
@@ -79,19 +69,20 @@ impl<'a> BwrapCmd<'a> {
         // Setup API filesystems
         // See https://systemd.io/API_FILE_SYSTEMS/
         cmd.args(["--proc", "/proc"]);
-        cmd.args(["--dev", "/dev"]);
+        cmd.args(["--dev-bind", "/dev", "/dev"]);
         cmd.args(["--bind", "/sys", "/sys"]);
 
+        // Bind /run primarily for the udev database so that
+        // lsblk/libblkid inside the sandbox can read
+        // partition type GUIDs and other device properties.
+        cmd.args(["--tmpfs", "/run"]);
+        cmd.args(["--bind", "/run", "/run"]);
+
         // Add bind mounts
         for (source, target) in &self.bind_mounts {
             cmd.args(["--bind", source, target]);
         }
 
-        // Add device bind mounts
-        for device in self.devices {
-            cmd.args(["--dev-bind", device, device]);
-        }
-
         // Add environment variables
         for (key, value) in &self.env_vars {
             cmd.args(["--setenv", key, value]);