from mkosi.config import Args, Config
from mkosi.tree import make_tree
from mkosi.types import PathString
-from mkosi.util import umask
+from mkosi.util import flatten, umask
class Context:
devices=devices,
scripts=scripts,
options=[
- # This mount is writable so bwrap can create extra directories or symlinks inside of it as
- # needed. This isn't a problem as the package manager directory is created by mkosi and
- # thrown away when the build finishes.
- "--bind", self.pkgmngr / "etc", "/etc",
+ # These mounts are writable so bubblewrap can create extra directories or symlinks inside of it as
+ # needed. This isn't a problem as the package manager directory is created by mkosi and thrown away
+ # when the build finishes.
+ *flatten(
+ ["--bind", os.fspath(self.pkgmngr / "etc" / p.name), f"/etc/{p.name}"]
+ for p in (self.pkgmngr / "etc").iterdir()
+ ),
*options,
*(["--ro-bind", os.fspath(p), os.fspath(p)] if (p := self.pkgmngr / "usr").exists() else []),
],
*options,
]
+ if not relaxed:
+ cmdline += ["--symlink", "../proc/self/mounts", "/etc/mtab"]
+
# If we're using /usr from a tools tree, we have to use /etc/alternatives from the tools tree as well if it
# exists since that points directly back to /usr. Apply this after the options so the caller can mount
# something else to /etc without overriding this mount. In relaxed mode, we only do this if /etc/alternatives
if network and not relaxed:
cmdline += ["--bind", "/etc/resolv.conf", "/etc/resolv.conf"]
- if devices:
- shm = ":"
- else:
- shm = "chmod 1777 /dev/shm"
+ # bubblewrap creates everything with a restricted mode so relax stuff as needed.
+ ops = []
+ if not devices:
+ ops += ["chmod 1777 /dev/shm"]
+ if not relaxed:
+ ops += ["chmod 755 /etc"]
+ ops += ["exec $0 \"$@\""]
- cmdline += ["sh", "-c", f"{shm} && exec $0 \"$@\""]
+ cmdline += ["sh", "-c", " && ".join(ops)]
return cmdline
projects / thirdparty / mkosi.git / commitdiff
