Create /work with relaxed permissions

We want to allow all users to access /work, so let's create it with
relaxed permissions. Let's also make sure we clean up the /work
directory after bwrap exits, so that whatever we do in bwrap doesn't
affect the cleanup of /work.

diff --git a/mkosi/run.py b/mkosi/run.py
index d17f54b60a63b38b8bed3b76da51d0c29c637629..dd67c2d8e0fd882b9def07ecea6fb10989fc108b 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -406,6 +406,8 @@ def apivfs_cmd(root: Path) -> list[PathString]:
 
 def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathString]:
     cmdline: list[PathString] = [
+        # No exec here because we need to clean up the /work directory afterwards.
+        "sh", "-c", f"mkdir --mode=777 {root / 'work'} && $0 \"$@\" && rm -rf {root / 'work'}",
         "bwrap",
         "--dev-bind", root, "/",
         "--setenv", "container", "mkosi",
@@ -425,8 +427,6 @@ def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathSt
     cmdline += [
         "--ro-bind", "/etc/resolv.conf", Path("/") / resolve,
         *options,
-        # No exec here because we need to clean up the /work directory afterwards.
-        "sh", "-c", f"$0 \"$@\" && rm -rf {root / 'work'}",
     ]
 
     return apivfs_cmd(root) + cmdline