denyRead directories remain readable when also in denyWrite #87
Description
Steps to Reproduce
- Create config:
echo '{"filesystem":{"denyRead":["~/.ssh"],"denyWrite":["~/.ssh"]}}' > /tmp/test-fence.json
- Run:
fence --settings /tmp/test-fence.json -- cat ~/.ssh/id_rsa
Expected Behavior
Read fails - directory is in denyRead.
Actual Behavior
File contents are readable.
Cause
linux.go:1078-1079 - denyRead adds --tmpfs ~/.ssh
linux.go:1143-1145 - denyWrite adds --ro-bind ~/.ssh ~/.ssh which overrides the tmpfs mount.
The denyWrite seen map starts empty and doesn't track paths already mounted by denyRead, so the --ro-bind is applied after --tmpfs and exposes the real directory.