From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 13 Dec 2024 13:24:36 +0000 (+0100)
Subject: sandbox: Show better error on missing mountpoints
X-Git-Tag: v25~114^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8343ba3891f29992589e8680718d24704d717dbb;p=thirdparty%2Fmkosi.git

sandbox: Show better error on missing mountpoints

Currently, if a crypto mountpoint does not exist, we fail with a
PermissionError exception. Let's show a better error and guide users
to what they can do to prevent this from happening. Also fix the action
to create all the necessary mountpoints upfront.
---

diff --git a/action.yaml b/action.yaml
index df7ae67f8..6c8d5a311 100644
--- a/action.yaml
+++ b/action.yaml
@@ -45,6 +45,15 @@ runs:
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
 
+    - name: Create missing mountpoints
+      shell: bash
+      run: |
+        for p in /etc/pki /etc/pacman.d/gnupg /etc/ssl /etc/ca-certificates /var/lib/ca-certificates /etc/crypto-policies; do
+          if [[ ! -e "$p" ]]; then
+            sudo mkdir -p "$p"
+          fi
+        done
+
     # Both the unix-chkpwd and swtpm profiles are broken (https://gitlab.com/apparmor/apparmor/-/issues/402) so let's
     # just disable and remove apparmor completely. It's not relevant in this context anyway.
     # TODO: Remove if https://github.com/actions/runner-images/issues/10015 is ever fixed.
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index d3a31e6ae..b79f5041a 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3768,7 +3768,20 @@ def run_sandbox(args: Args, config: Config) -> None:
     # If we're not using tools tree certificates we don't have to do anything since the relaxed sandbox will
     # already have /etc and /var from the host so we don't need to do anything extra.
     if config.tools_tree_certificates:
-        options += finalize_crypto_mounts(config)
+        mounts = finalize_crypto_mounts(config)
+
+        # Since we reuse almost every top level directory from the host except /usr, the crypto mountpoints
+        # have to exist already in these directories or we'll fail with a permission error. Let's check this
+        # early and show a better error and a suggestion on how users can fix this issue. We use slice
+        # notation to get every 3rd item from the mounts list which is the destination path.
+        for dst in mounts[2::3]:
+            if not Path(dst).exists():
+                die(
+                    f"Missing mountpoint {dst}",
+                    hint=f"Create an empty directory at {dst} using 'mkdir -p {dst}' as root and try again",
+                )
+
+        options += mounts
 
     run(
         cmdline,