Put tmpfs on /tmp in sandbox when not in relaxed mode

Let's sandbox more by not using the host's /tmp but instead putting
a fresh tmpfs on /tmp. We used the host's /tmp before because the
definitions could potentially be in the host's /tmp but now that we
mount everything in explicitly that isn't a problem anymore.

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index fbf403b67de711a2bd7d07d7c469922d9e78993f..40d8b56cbbae82f86b1f9883af93bbd05da51bef 100644 (file)
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -286,7 +286,11 @@ def start_swtpm(config: Config) -> Iterator[Path]:
 
             cmdline += ["--ctrl", f"type=unixio,fd={sock.fileno()}"]
 
-            with spawn(cmdline, pass_fds=(sock.fileno(),), sandbox=config.sandbox()) as proc:
+            with spawn(
+                cmdline,
+                pass_fds=(sock.fileno(),),
+                sandbox=config.sandbox(options=["--bind", state, state]),
+            ) as proc:
                 try:
                     yield path
                 finally:

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 002a0a8410d7eb84fe09d41ad6b47c023c67984b..2678921e8b78ee3d5ed3d36ffd951c18ba477f26 100644 (file)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -81,13 +81,17 @@ def sandbox_cmd(
     cmdline: list[PathString] = [
         "bwrap",
         "--ro-bind", tools / "usr", "/usr",
-        "--bind", "/tmp", "/tmp",
         *(["--unshare-net"] if not network and have_effective_cap(Capability.CAP_NET_ADMIN) else []),
         "--die-with-parent",
         "--proc", "/proc",
         "--setenv", "SYSTEMD_OFFLINE", one_zero(network),
     ]
 
+    if relaxed:
+        cmdline += ["--bind", "/tmp", "/tmp"]
+    else:
+        cmdline += ["--tmpfs", "/tmp"]
+
     if (tools / "nix/store").exists():
         cmdline += ["--bind", tools / "nix/store", "/nix/store"]