From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 25 Sep 2023 08:39:42 +0000 (+0200)
Subject: Create /work with relaxed permissions
X-Git-Tag: v18~44^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b2c87ee3210877a8a06f0a0bdeef3c3f94fb5bd;p=thirdparty%2Fmkosi.git

Create /work with relaxed permissions

We want to allow all users to access /work, so let's create it with
relaxed permissions. Let's also make sure we clean up the /work
directory after bwrap exits, so that whatever we do in bwrap doesn't
affect the cleanup of /work.
---

diff --git a/mkosi/run.py b/mkosi/run.py
index d17f54b60..dd67c2d8e 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -406,6 +406,8 @@ def apivfs_cmd(root: Path) -> list[PathString]:
 
 def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathString]:
     cmdline: list[PathString] = [
+        # No exec here because we need to clean up the /work directory afterwards.
+        "sh", "-c", f"mkdir --mode=777 {root / 'work'} && $0 \"$@\" && rm -rf {root / 'work'}",
         "bwrap",
         "--dev-bind", root, "/",
         "--setenv", "container", "mkosi",
@@ -425,8 +427,6 @@ def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathSt
     cmdline += [
         "--ro-bind", "/etc/resolv.conf", Path("/") / resolve,
         *options,
-        # No exec here because we need to clean up the /work directory afterwards.
-        "sh", "-c", f"$0 \"$@\" && rm -rf {root / 'work'}",
     ]
 
     return apivfs_cmd(root) + cmdline