apple · Sunsvea · Aug 6, 2025 · Aug 6, 2025 · Aug 6, 2025 · Aug 6, 2025
diff --git a/Sources/Containerization/AttachedFilesystem.swift b/Sources/Containerization/AttachedFilesystem.swift
@@ -27,12 +27,17 @@ public struct AttachedFilesystem: Sendable {
     public var destination: String
     /// The options to use when mounting the filesystem.
     public var options: [String]
+    /// True if this is a single file mount requiring bind mounting
+    public var isFileBind: Bool
 
     #if os(macOS)
     public init(mount: Mount, allocator: any AddressAllocator<Character>) throws {
+        self.isFileBind = mount.isFile
+
         switch mount.type {
         case "virtiofs":
-            let name = try hashMountSource(source: mount.source)
+            let shareSource = mount.isFile ? mount.parentDirectory : mount.source
+            let name = try hashMountSource(source: shareSource)
             self.source = name
         case "ext4":
             let char = try allocator.allocate()

diff --git a/Sources/Containerization/LinuxContainer.swift b/Sources/Containerization/LinuxContainer.swift
@@ -398,9 +398,29 @@ extension LinuxContainer {
                 try await agent.standardSetup()
 
                 // Mount the rootfs.
-                var rootfs = vm.mounts[0].to
+                var rootfs = vm.mounts[0]
                 rootfs.destination = Self.guestRootfsPath(self.id)
-                try await agent.mount(rootfs)
+                try await agent.mount(
+                    .init(
+                        type: rootfs.type,
+                        source: rootfs.source,
+                        destination: rootfs.destination,
+                        options: rootfs.options
+                    ))
+
+                // Handle file bind mounts for virtiofs shares
+                for (originalMount, attachedMount) in zip(self.config.mounts, vm.mounts.dropFirst()) where attachedMount.isFileBind {
+                    let filename = URL(fileURLWithPath: originalMount.source).lastPathComponent
+                    let sharedFilePath = "/\(attachedMount.source)/\(filename)"
+
+                    try await agent.mount(
+                        .init(
+                            type: "none",
+                            source: sharedFilePath,
+                            destination: attachedMount.destination,
+                            options: ["bind"] + (attachedMount.options.contains("ro") ? ["ro"] : [])
+                        ))
+                }
 
                 // Start up our friendly unix socket relays.
                 for socket in self.config.sockets {
@@ -449,7 +469,9 @@ extension LinuxContainer {
         do {
             var spec = generateRuntimeSpec()
             // We don't need the rootfs, nor do OCI runtimes want it included.
-            spec.mounts = vm.mounts.dropFirst().map { $0.to }
+            spec.mounts = vm.mounts.dropFirst().map {
+                .init(type: $0.type, source: $0.source, destination: $0.destination, options: $0.options)
+            }
 
             let stdio = Self.setupIO(
                 portAllocator: self.hostVsockPorts,

diff --git a/Sources/Containerization/Mount.swift b/Sources/Containerization/Mount.swift
@@ -132,6 +132,20 @@ public struct Mount: Sendable {
 #if os(macOS)
 
 extension Mount {
+    var isFile: Bool {
+        var isDirectory: ObjCBool = false
+        let exists = FileManager.default.fileExists(atPath: self.source, isDirectory: &isDirectory)
+        return exists && !isDirectory.boolValue
+    }
+
+    var parentDirectory: String {
+        URL(fileURLWithPath: self.source).deletingLastPathComponent().path
+    }
+
+    var filename: String {
+        URL(fileURLWithPath: self.source).lastPathComponent
+    }
+
     func configure(config: inout VZVirtualMachineConfiguration) throws {
         switch self.runtimeOptions {
         case .virtioblk(let options):
@@ -140,11 +154,18 @@ extension Mount {
             config.storageDevices.append(attachment)
         case .virtiofs(_):
             guard FileManager.default.fileExists(atPath: self.source) else {
-                throw ContainerizationError(.notFound, message: "directory \(source) does not exist")
+                throw ContainerizationError(.notFound, message: "path \(source) does not exist")
+            }
+
+            let shareSource: String
+            if isFile {
+                shareSource = parentDirectory
+            } else {
+                shareSource = self.source
             }
 
-            let name = try hashMountSource(source: self.source)
-            let urlSource = URL(fileURLWithPath: source)
+            let name = try hashMountSource(source: shareSource)
+            let urlSource = URL(fileURLWithPath: shareSource)
 
             let device = VZVirtioFileSystemDeviceConfiguration(tag: name)
             device.share = VZSingleDirectoryShare(

diff --git a/Tests/ContainerizationTests/MountTests.swift b/Tests/ContainerizationTests/MountTests.swift
@@ -0,0 +1,71 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2025 Apple Inc. and the Containerization project authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+import Foundation
+import Testing
+
+@testable import Containerization
+
+final class MountTests {
+    @Test func fileDetection() throws {
+        let tempDir = FileManager.default.temporaryDirectory
+        let testFile = tempDir.appendingPathComponent("testfile.txt")
+
+        try "test content".write(to: testFile, atomically: true, encoding: .utf8)
+        defer { try? FileManager.default.removeItem(at: testFile) }
+
+        let mount = Mount.share(
+            source: testFile.path,
+            destination: "/app/config.txt"
+        )
+
+        #expect(mount.isFile == true)
+        #expect(mount.filename == "testfile.txt")
+        #expect(mount.parentDirectory == tempDir.path)
+    }
+
+    @Test func directoryDetection() throws {
+        let tempDir = FileManager.default.temporaryDirectory
+
+        let mount = Mount.share(
+            source: tempDir.path,
+            destination: "/app/data"
+        )
+
+        #expect(mount.isFile == false)
+    }
+
+    #if os(macOS)
+    @Test func attachedFilesystemBindFlag() throws {
+        let tempDir = FileManager.default.temporaryDirectory
+        let testFile = tempDir.appendingPathComponent("bindtest.txt")
+
+        try "bind test".write(to: testFile, atomically: true, encoding: .utf8)
+        defer { try? FileManager.default.removeItem(at: testFile) }
+
+        let mount = Mount.share(
+            source: testFile.path,
+            destination: "/app/config.txt"
+        )
+
+        let allocator = Character.blockDeviceTagAllocator()
+        let attached = try AttachedFilesystem(mount: mount, allocator: allocator)
+
+        #expect(attached.isFileBind == true)
+        #expect(attached.type == "virtiofs")
+    }
+    #endif
+}