1 files changed, 17 insertions, 0 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c9f35dd75..a7b4aed9f 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -26,6 +26,7 @@ import (
 	"github.com/containers/libpod/pkg/resolvconf"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/storage/pkg/idtools"
+	"github.com/cyphar/filepath-securejoin"
 	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
@@ -366,6 +367,18 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// For private volumes any root propagation value should work.
 	rootPropagation := ""
 	for _, m := range mounts {
+		// We need to remove all symlinks from tmpfs mounts.
+		// Runc and other runtimes may choke on them.
+		// Easy solution: use securejoin to do a scoped evaluation of
+		// the links, then trim off the mount prefix.
+		if m.Type == "tmpfs" {
+			finalPath, err := securejoin.SecureJoin(c.state.Mountpoint, m.Destination)
+			if err != nil {
+				return nil, errors.Wrapf(err, "error resolving symlinks for mount destination %s", m.Destination)
+			}
+			trimmedPath := strings.TrimPrefix(finalPath, strings.TrimSuffix(c.state.Mountpoint, "/"))
+			m.Destination = trimmedPath
+		}
 		g.AddMount(m)
 		for _, opt := range m.Options {
 			switch opt {
@@ -835,6 +848,10 @@ func (c *Container) generateResolvConf() (string, error) {
 
 	// Make a new resolv.conf
 	nameservers := resolvconf.GetNameservers(resolv.Content)
+	// slirp4netns has a built in DNS server.
+	if c.config.NetMode.IsSlirp4netns() {
+		nameservers = append(nameservers, "10.0.2.3")
+	}
 	if len(c.config.DNSServer) > 0 {
 		// We store DNS servers as net.IP, so need to convert to string
 		nameservers = []string{}