From: Daan De Meyer Date: Sun, 23 Jun 2024 12:28:41 +0000 (+0200) Subject: Make /var/tmp optional for sandbox X-Git-Tag: v24~90^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2799%2Fhead;p=thirdparty%2Fmkosi.git Make /var/tmp optional for sandbox Let's only create a custom /var/tmp directory for some commands instead of all of them. We only create a custom /var/tmp for systemd-repart and scripts as other commands shouldn't have need for a separate /var/tmp that's stored on disk. Fixes #2792 --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 86f0a03c4..ae6523e63 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -463,6 +463,7 @@ def run_configure_scripts(config: Config) -> Config: env=env | config.environment, sandbox=config.sandbox( binary=None, + vartmp=True, mounts=[*sources, Mount(script, "/work/configure", ro=True)], options=["--dir", "/work/src", "--chdir", "/work/src"] ), @@ -526,6 +527,7 @@ def run_sync_scripts(context: Context) -> None: sandbox=context.sandbox( binary=None, network=True, + vartmp=True, mounts=mounts, options=["--dir", "/work/src", "--chdir", "/work/src"] ), @@ -593,6 +595,7 @@ def run_prepare_scripts(context: Context, build: bool) -> None: sandbox=context.sandbox( binary=None, network=True, + vartmp=True, mounts=[ *sources, Mount(script, "/work/prepare", ro=True), @@ -672,6 +675,7 @@ def run_build_scripts(context: Context) -> None: sandbox=context.sandbox( binary=None, network=context.config.with_network, + vartmp=True, mounts=[ *sources, Mount(script, "/work/build-script", ro=True), @@ -749,6 +753,7 @@ def run_postinst_scripts(context: Context) -> None: sandbox=context.sandbox( binary=None, network=context.config.with_network, + vartmp=True, mounts=[ *sources, Mount(script, "/work/postinst", ro=True), @@ -814,6 +819,7 @@ def run_finalize_scripts(context: Context) -> None: sandbox=context.sandbox( binary=None, network=context.config.with_network, + vartmp=True, mounts=[ *sources, Mount(script, "/work/finalize", ro=True), @@ -859,6 +865,7 @@ def run_postoutput_scripts(context: Context) -> None: env=env | context.config.environment, sandbox=context.sandbox( binary=None, + vartmp=True, mounts=[ *sources, Mount(script, "/work/postoutput", ro=True), @@ -3361,6 +3368,7 @@ def make_image( not context.config.repart_offline or context.config.verity_key_source.type != KeySource.Type.file ), + vartmp=True, mounts=mounts, ), ).stdout @@ -3640,6 +3648,7 @@ def make_extension_image(context: Context, output: Path) -> None: not context.config.repart_offline or context.config.verity_key_source.type != KeySource.Type.file ), + vartmp=True, mounts=mounts, ), ).stdout @@ -3769,10 +3778,11 @@ def copy_repository_metadata(context: Context) -> None: def sandbox( *, binary: Optional[PathString], + vartmp: bool = False, mounts: Sequence[Mount] = (), extra: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: - return context.sandbox(binary=binary, mounts=[*mounts, *exclude], extra=extra) + return context.sandbox(binary=binary, vartmp=vartmp, mounts=[*mounts, *exclude], extra=extra) copy_tree( src, dst, @@ -4059,6 +4069,7 @@ def run_shell(args: Args, config: Config) -> None: binary="systemd-repart", network=True, devices=True, + vartmp=True, mounts=[Mount(fname, fname)], ), ) @@ -4424,6 +4435,7 @@ def run_clean_scripts(config: Config) -> None: env=env | config.environment, sandbox=config.sandbox( binary=None, + vartmp=True, tools=False, mounts=[ *sources, diff --git a/mkosi/config.py b/mkosi/config.py index 20fbcba0e..ad7a94ab8 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -1703,6 +1703,7 @@ class Config: binary: Optional[PathString], network: bool = False, devices: bool = False, + vartmp: bool = False, relaxed: bool = False, tools: bool = True, scripts: Optional[Path] = None, @@ -1729,6 +1730,7 @@ class Config: return sandbox_cmd( network=network, devices=devices, + vartmp=vartmp, relaxed=relaxed, scripts=scripts, tools=self.tools() if tools else Path("/"), diff --git a/mkosi/context.py b/mkosi/context.py index cfb399cba..cf4d20322 100644 --- a/mkosi/context.py +++ b/mkosi/context.py @@ -78,6 +78,7 @@ class Context: binary: Optional[PathString], network: bool = False, devices: bool = False, + vartmp: bool = False, scripts: Optional[Path] = None, mounts: Sequence[Mount] = (), options: Sequence[PathString] = (), @@ -95,6 +96,7 @@ class Context: binary=binary, network=network, devices=devices, + vartmp=vartmp, scripts=scripts, mounts=[ # This mount is writable so bubblewrap can create extra directories or symlinks inside of it as needed. diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py index fdf8a63d7..da256d44c 100644 --- a/mkosi/installer/apt.py +++ b/mkosi/installer/apt.py @@ -217,6 +217,7 @@ class Apt(PackageManager): context.sandbox( binary="apt-get", network=True, + vartmp=True, mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources, *mounts], options=["--dir", "/work/src", "--chdir", "/work/src"], extra=apivfs_cmd() if apivfs else [] diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py index 95b7a1732..93bc0829f 100644 --- a/mkosi/installer/dnf.py +++ b/mkosi/installer/dnf.py @@ -198,6 +198,7 @@ class Dnf(PackageManager): context.sandbox( binary=cls.executable(context.config), network=True, + vartmp=True, mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources], options=["--dir", "/work/src", "--chdir", "/work/src"], extra=apivfs_cmd() if apivfs else [], diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py index e3f2faa94..8defdc088 100644 --- a/mkosi/installer/pacman.py +++ b/mkosi/installer/pacman.py @@ -169,6 +169,7 @@ class Pacman(PackageManager): context.sandbox( binary="pacman", network=True, + vartmp=True, mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources], options=["--dir", "/work/src", "--chdir", "/work/src"], extra=apivfs_cmd() if apivfs else [], diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py index 2f5e6e64d..b8022beb3 100644 --- a/mkosi/installer/zypper.py +++ b/mkosi/installer/zypper.py @@ -134,6 +134,7 @@ class Zypper(PackageManager): context.sandbox( binary="zypper", network=True, + vartmp=True, mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources], options=["--dir", "/work/src", "--chdir", "/work/src"], extra=apivfs_cmd() if apivfs else [], diff --git a/mkosi/qemu.py b/mkosi/qemu.py index 333ead55c..964b49e5b 100644 --- a/mkosi/qemu.py +++ b/mkosi/qemu.py @@ -974,6 +974,7 @@ def run_qemu(args: Args, config: Config) -> None: ], sandbox=config.sandbox( binary="systemd-repart", + vartmp=True, mounts=[Mount(fname.parent, fname.parent), Mount(src, src, ro=True)], ), ) diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py index 5d48be143..4e81c55f7 100644 --- a/mkosi/sandbox.py +++ b/mkosi/sandbox.py @@ -47,6 +47,7 @@ class SandboxProtocol(Protocol): self, *, binary: Optional[PathString], + vartmp: bool = False, mounts: Sequence[Mount] = (), extra: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: ... @@ -55,6 +56,7 @@ class SandboxProtocol(Protocol): def nosandbox( *, binary: Optional[PathString], + vartmp: bool = False, mounts: Sequence[Mount] = (), extra: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: @@ -117,6 +119,7 @@ def sandbox_cmd( *, network: bool = False, devices: bool = False, + vartmp: bool = False, scripts: Optional[Path] = None, tools: Path = Path("/"), relaxed: bool = False, @@ -128,7 +131,7 @@ def sandbox_cmd( cmdline: list[PathString] = [] mounts = list(mounts) - if not relaxed: + if vartmp and not relaxed: # We want to use an empty subdirectory in the host's temporary directory as the sandbox's /var/tmp. vartmpdir = Path(os.getenv("TMPDIR", "/var/tmp")) / f"mkosi-var-tmp-{uuid.uuid4().hex[:16]}" else: @@ -153,7 +156,7 @@ def sandbox_cmd( if relaxed: mounts += [Mount("/tmp", "/tmp")] else: - cmdline += ["--dir", "/tmp", "--unshare-ipc"] + cmdline += ["--dir", "/tmp", "--dir", "/var/tmp", "--unshare-ipc"] if (tools / "nix/store").exists(): mounts += [Mount(tools / "nix/store", "/nix/store")]