--bind-try overly permissive?

[dk1953]

Hey folks, I'm a bit new to this and just learning/playing around with bwrap, so forgive me if there's some very obvious reason for this.

Here's a snippet from the end of a bwrap+exiftool script:

--ro-bind   "$exiftool_dir"          "$exiftool_dir"
--bind      "$imgfile"              "$imgfile"
--bind-try  "$blah"                 "$blah"
$exiftool_dir/exiftool "$args" "$imgfile"

When changing metadata, exiftool creates a filename_exiftool_tmp and filename_original, so it needs write permissions in the directory. I originally tried to give it pre-emptive permissions to specific non-existing files via bind-try, but I guess it doesn't work that way.

Exiftool fails if I remove the bind-try line. $blah isn't declared anywhere in the script, so this shouldn't work... and yet it did. I eventually figured out that a bash shell in the bwrap had access to my entire filesystem. And indeed, I can change $blah to anything arbitrary, or even leave it blank as --bind-try "" ""

I tried --bind "" "" and --ro-bind "" "" but neither of them interpret the empty string as root fs /; instead, bwrap just refuses to run.

I know bwrap is a bit of an "advanced" thing, but I can't help but wonder if this is really the desired behavior, especially considering --bind-try inherently fails silently.