#!/usr/bin/env bash

# Run a command chrooted inside $DESTDIR w/o network, with /dev/null, outline:
#
#     [helpers/chroot, outer script]
#  /  unshare
# |     -n                                            # without network
# |     -r                                            # with EUID=EGID=0
#  \    -m                                            # separate mount namespace
#         [helpers/chroot-inner, this script]
#         mount --bind /dev/null $DESTDIR/dev/null    # unprivileged /dev/null!
#         &&
#         env -i                                      # with env unset
#           chroot $DESTDIR                           # unprivileged chroot!

set -uex

exec unshare -nrm helpers/chroot-inner "$@"