BUG: Bind-mount even more files for better OOTBE

Author: kernc

README.md

@@ -77,7 +77,7 @@ process invocations via **`$BWRAP_ARGS` environment variable**. E.g.:
 
 ```sh
 BWRAP_ARGS='--bind /opt /opt' \
-    python -c 'import os; print(os.listdir("/opt"))'
+    sandbox-run ./NVIDIA-Driver-Installer.run
 ```
 
 For details, see `bubblewrap --help` or [`man 1 bwrap`](https://manpages.debian.org/unstable/bwrap).
@@ -104,6 +104,7 @@ is lost upon container termination.
 
 See `bwrap` switches [`--seccomp FD` and `--add-seccomp-fd FD`](https://manpages.debian.org/unstable/bubblewrap/bwrap.1.en.html#:~:text=Lockdown%20options%3A-,--seccomp%20fd,-Load%20and%20use).
 
+
 #### Runtime monitoring
 
 If **environment variable `VERBOSE=`** is set to a non-empty value,

sandbox-run

@@ -45,16 +45,21 @@ paths='
 /etc/ssl
 /etc/hosts
 /etc/pki
+/etc/pkcs11
 /etc/ld.so.cache
+/etc/ld.so.conf.d
 /etc/localtime
-/etc/mtab
 /etc/os-release
 /etc/timezone
 /lib
 /lib64
 /run/dbus/system_bus_socket
 /usr
 '
+# ld.so.conf.d: https://containertoolbx.org/doc/#ldconfig8
+RW_paths='
+/etc/ld.so.conf.d
+'
 
 # Support BWRAP_ARGS passed to the process as well as via .env file
 prev_BWRAP_ARGS="${BWRAP_ARGS:-}"
@@ -97,16 +102,18 @@ warn "exec bwrap [...] $formatted_cmdline"
 
 # shellcheck disable=SC2046
 bwrap \
-    --dir /tmp \
+    --tmpfs /tmp \
     --tmpfs /run \
     --proc /proc \
     --dev /dev \
+    --symlink /run /var/run \
     --symlink /tmp /var/tmp \
     --symlink /usr/bin /bin \
     --symlink /usr/bin /sbin \
     --dev-bind-try /dev/fuse /dev/fuse \
     --ro-bind "$bin" "$bin" \
     $(set +x; for path in $paths; do [ ! -e "$path" ] || printf -- '--ro-bind-try %s %s ' "$path" "$path"; done) \
+    $(set +x; for path in $RW_paths; do [ ! -e "$path" ] || printf -- '--bind-try %s %s ' "$path" "$path"; done) \
     --bind "$cwd" "$cwd" \
     --chdir "$cwd" \
     --clearenv \