apple · Sunsvea · Aug 6, 2025 · Aug 6, 2025 · Aug 6, 2025 · Aug 6, 2025
diff --git a/Sources/Containerization/AttachedFilesystem.swift b/Sources/Containerization/AttachedFilesystem.swift
@@ -16,6 +16,7 @@
 
 import ContainerizationExtras
 import ContainerizationOCI
+import Foundation
 
 /// A filesystem that was attached and able to be mounted inside the runtime environment.
 public struct AttachedFilesystem: Sendable {
@@ -27,12 +28,22 @@ public struct AttachedFilesystem: Sendable {
     public var destination: String
     /// The options to use when mounting the filesystem.
     public var options: [String]
+    /// True if this is a single file mount using hardlink isolation
+    var isFile: Bool
 
     #if os(macOS)
     public init(mount: Mount, allocator: any AddressAllocator<Character>) throws {
+        self.isFile = mount.isFile
+
         switch mount.type {
         case "virtiofs":
-            let name = try hashMountSource(source: mount.source)
+            let shareSource: String
+            if mount.isFile {
+                shareSource = try mount.createIsolatedFileShare()
+            } else {
+                shareSource = mount.source
+            }
+            let name = try hashMountSource(source: shareSource)
             self.source = name
         case "ext4":
             let char = try allocator.allocate()
@@ -42,7 +53,13 @@ public struct AttachedFilesystem: Sendable {
         }
         self.type = mount.type
         self.options = mount.options
-        self.destination = mount.destination
+
+        // For file mounts with hardlink isolation, mount at parent directory
+        if mount.isFile && mount.type == "virtiofs" {
+            self.destination = URL(fileURLWithPath: mount.destination).deletingLastPathComponent().path
+        } else {
+            self.destination = mount.destination
+        }
     }
     #endif
 }
diff --git a/Sources/Containerization/Mount.swift b/Sources/Containerization/Mount.swift
@@ -132,6 +132,41 @@ public struct Mount: Sendable {
 #if os(macOS)
 
 extension Mount {
+    var isFile: Bool {
+        var isDirectory: ObjCBool = false
+        let exists = FileManager.default.fileExists(atPath: self.source, isDirectory: &isDirectory)
+        return exists && !isDirectory.boolValue
+    }
+
+    var parentDirectory: String {
+        URL(fileURLWithPath: self.source).deletingLastPathComponent().path
+    }
+
+    var filename: String {
+        URL(fileURLWithPath: self.source).lastPathComponent
+    }
+
+    /// Create an isolated temporary directory containing only the target file via hardlink
+    func createIsolatedFileShare() throws -> String {
+        // Create deterministic temp directory based on source file path
+        let sourceHash = try hashMountSource(source: self.source)
+        let tempDir = FileManager.default.temporaryDirectory
+            .appendingPathComponent("containerization-file-mount-\(sourceHash)")
+
+        // Create directory if it doesn't exist
+        if !FileManager.default.fileExists(atPath: tempDir.path) {
+            try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true)
+
+            let isolatedFile = tempDir.appendingPathComponent(filename)
+            let sourceFile = URL(fileURLWithPath: self.source)
+
+            // Create hardlink to isolate the single file
+            try FileManager.default.linkItem(at: sourceFile, to: isolatedFile)
+        }
+
+        return tempDir.path
+    }
+
     func configure(config: inout VZVirtualMachineConfiguration) throws {
         switch self.runtimeOptions {
         case .virtioblk(let options):
@@ -140,11 +175,18 @@ extension Mount {
             config.storageDevices.append(attachment)
         case .virtiofs(_):
             guard FileManager.default.fileExists(atPath: self.source) else {
-                throw ContainerizationError(.notFound, message: "directory \(source) does not exist")
+                throw ContainerizationError(.notFound, message: "path \(source) does not exist")
+            }
+
+            let shareSource: String
+            if isFile {
+                shareSource = try createIsolatedFileShare()
+            } else {
+                shareSource = self.source
             }
 
-            let name = try hashMountSource(source: self.source)
-            let urlSource = URL(fileURLWithPath: source)
+            let name = try hashMountSource(source: shareSource)
+            let urlSource = URL(fileURLWithPath: shareSource)
 
             let device = VZVirtioFileSystemDeviceConfiguration(tag: name)
             device.share = VZSingleDirectoryShare(

diff --git a/Sources/Integration/Suite.swift b/Sources/Integration/Suite.swift
@@ -209,6 +209,8 @@ struct IntegrationSuite: AsyncParsableCommand {
             "container hostname": testHostname,
             "container hosts": testHostsFile,
             "container mount": testMounts,
+            "container single file mount": testSingleFileMount,
+            "container multiple single file mounts": testMultipleSingleFileMounts,
             "nested virt": testNestedVirtualizationEnabled,
             "container manager": testContainerManagerCreate,
             "container reuse": testContainerReuse,

diff --git a/Sources/Integration/VMTests.swift b/Sources/Integration/VMTests.swift
@@ -172,9 +172,78 @@ extension IntegrationSuite {
         }
     }
 
+    func testSingleFileMount() async throws {
+        let id = "test-single-file-mount"
+
+        let bs = try await bootstrap()
+        let buffer = BufferWriter()
+        let container = try LinuxContainer(id, rootfs: bs.rootfs, vmm: bs.vmm) { config in
+            let tempFile = try createSingleMountFile()
+            config.process.arguments = ["/bin/cat", "/app/config.txt"]
+            config.mounts.append(.share(source: tempFile.path, destination: "/app/config.txt"))
+            config.process.stdout = buffer
+        }
+
+        try await container.create()
+        try await container.start()
+
+        let status = try await container.wait()
+        try await container.stop()
+
+        guard status == 0 else {
+            throw IntegrationError.assert(msg: "process status \(status) != 0")
+        }
+
+        let value = String(data: buffer.data, encoding: .utf8)
+        guard value == "single file content" else {
+            throw IntegrationError.assert(
+                msg: "process should have returned 'single file content' != '\(String(data: buffer.data, encoding: .utf8) ?? "nil")'")
+        }
+    }
+
+    func testMultipleSingleFileMounts() async throws {
+        let id = "test-multiple-single-file-mounts"
+
+        let bs = try await bootstrap()
+        let buffer = BufferWriter()
+        let container = try LinuxContainer(id, rootfs: bs.rootfs, vmm: bs.vmm) { config in
+            let configFile = try createSingleMountFile(content: "config data")
+            let secretFile = try createSingleMountFile(content: "secret data")
+
+            config.process.arguments = ["/bin/sh", "-c", "cat /app/config.txt && echo '---' && cat /app/secret.txt"]
+            config.mounts.append(.share(source: configFile.path, destination: "/app/config.txt"))
+            config.mounts.append(.share(source: secretFile.path, destination: "/app/secret.txt"))
+            config.process.stdout = buffer
+        }
+
+        try await container.create()
+        try await container.start()
+
+        let status = try await container.wait()
+        try await container.stop()
+
+        guard status == 0 else {
+            throw IntegrationError.assert(msg: "process status \(status) != 0")
+        }
+
+        let value = String(data: buffer.data, encoding: .utf8)
+        let expected = "config data---\nsecret data"
+        guard value == expected else {
+            throw IntegrationError.assert(
+                msg: "process should have returned '\(expected)' != '\(String(data: buffer.data, encoding: .utf8) ?? "nil")'")
+        }
+    }
+
     private func createMountDirectory() throws -> URL {
         let dir = FileManager.default.uniqueTemporaryDirectory(create: true)
         try "hello".write(to: dir.appendingPathComponent("hi.txt"), atomically: true, encoding: .utf8)
         return dir
     }
+
+    private func createSingleMountFile(content: String = "single file content") throws -> URL {
+        let tempFile = FileManager.default.temporaryDirectory
+            .appendingPathComponent("test-single-file-\(UUID().uuidString).txt")
+        try content.write(to: tempFile, atomically: true, encoding: .utf8)
+        return tempFile
+    }
 }