Force user namespace in bubblewrap if we're not running as root

Depending on whether bwrap is installed setuid or not it might try
to not create a user namespace. Let's explicitly tell it to create
one if we're not invoking it as root to make sure one is always
created.

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 459199fb48e35ac3a4cc2fe0f3924a28178557e8..49e8ca9f3b2b8f049f19eed9070a7295efc93fb8 100644 (file)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -153,6 +153,11 @@ def sandbox_cmd(
         # We mounted a subdirectory of TMPDIR to /var/tmp so we unset TMPDIR so that /tmp or /var/tmp are used instead.
         "--unsetenv", "TMPDIR",
     ]
+
+    # Make sure that bubblewrap uses a user namespace even if it's installed as setuid.
+    if os.getuid() != 0:
+        cmdline += ["--unshare-user"]
+
     mounts += [Mount(tools / "usr", "/usr", ro=True)]
 
     if relaxed: