Make sure various host files are added to every relaxed sandbox

Let's not just make these available to mkosi sandbox, but to every
other relaxed sandbox we set up as well.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 2088602c945e6ab050f53d6d3bcd5b6046faf98a..0ec8a85cb24db172058dea5a8e040f80c97a749e 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4127,13 +4127,6 @@ def run_sandbox(args: Args, config: Config) -> None:
         die("Please specify a command to execute in the sandbox")
 
     mounts = finalize_certificate_mounts(config, relaxed=True)
-    if config.tools() != Path("/"):
-        for f in ("passwd", "group", "shadow", "gshadow"):
-            if Path(f"/etc/{f}").exists() and (config.tools() / "etc" / f).exists():
-                mounts += ["--ro-bind", f"/etc/{f}", f"/etc/{f}"]
-
-        if Path("/etc/nsswitch.conf").exists() and (config.tools() / "etc/nsswitch.conf").exists():
-            mounts += ["--ro-bind", "/etc/nsswitch.conf", "/etc/nsswitch.conf"]
 
     # Since we reuse almost every top level directory from the host except /usr and /etc, the crypto
     # mountpoints have to exist already in these directories or we'll fail with a permission error. Let's

diff --git a/mkosi/run.py b/mkosi/run.py
index cd1a25ae22baa2ebd6e532b1fa40016cb4329fd2..17c0f8780ccfe7e892323a39f0266b54715fa2a6 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -525,6 +525,11 @@ def sandbox_cmd(
                         cmdline += ["--bind", p, p]
 
             cmdline += ["--ro-bind", tools / "etc", "/etc"]
+
+            if tools != Path("/"):
+                for f in ("passwd", "group", "shadow", "gshadow", "nsswitch.conf"):
+                    if Path(f"/etc/{f}").exists() and (tools / "etc" / f).exists():
+                        cmdline += ["--ro-bind", f"/etc/{f}", f"/etc/{f}"]
         else:
             cmdline += [
                 "--dir", "/var/tmp",