1 files changed, 28 insertions, 7 deletions

diff --git a/src/buildstream/sandbox/_sandboxreapi.py b/src/buildstream/sandbox/_sandboxreapi.py
index 19c599197..c8d2be70b 100644
--- a/src/buildstream/sandbox/_sandboxreapi.py
+++ b/src/buildstream/sandbox/_sandboxreapi.py
@@ -57,7 +57,9 @@ class SandboxREAPI(Sandbox):
 
         # Ensure directories required for sandboxed execution exist
         for directory in ["dev", "proc", "tmp"]:
-            vdir.descend(directory, create=True)
+            vsubdir = vdir.descend(directory, create=True)
+            if flags & SandboxFlags.ROOT_READ_ONLY:
+                vsubdir._set_subtree_read_only(False)
 
         # Create directories for all marked directories. This emulates
         # some of the behaviour of other sandboxes, which create these
@@ -66,13 +68,32 @@ class SandboxREAPI(Sandbox):
         mount_sources = self._get_mount_sources()
         for mark in self._get_marked_directories():
             directory = mark["directory"]
-            if directory in mount_sources:
-                continue
-            # Create each marked directory
-            vdir.descend(*directory.split(os.path.sep), create=True)
-            read_write_directories.append(directory)
 
-        if not flags & SandboxFlags.ROOT_READ_ONLY:
+            if directory in mount_sources:
+                # Bind mount
+                mount_point = directory
+                mount_source = mount_sources[mount_point]
+
+                # Ensure mount point exists in sandbox
+                mount_point_components = mount_point.split(os.path.sep)
+                if not vdir._exists(*mount_point_components):
+                    if os.path.isdir(mount_source):
+                        # Mounting a directory, mount point must be a directory
+                        vdir.descend(*mount_point_components, create=True)
+                    else:
+                        # Mounting a file or device node, mount point must be a file
+                        parent_vdir = vdir.descend(*mount_point_components[:-1], create=True)
+                        parent_vdir._create_empty_file(mount_point_components[-1])
+            else:
+                # Read-write directory
+                marked_vdir = vdir.descend(*directory.split(os.path.sep), create=True)
+                read_write_directories.append(directory)
+                if flags & SandboxFlags.ROOT_READ_ONLY:
+                    marked_vdir._set_subtree_read_only(False)
+
+        if flags & SandboxFlags.ROOT_READ_ONLY:
+            vdir._set_subtree_read_only(True)
+        else:
             # The whole sandbox is writable
             read_write_directories = [os.path.sep]