Don't mount sandbox.py to /sandbox.py in relaxed sandbox

In a relaxed sandbox we'll never execute apivfs_script_cmd() or
chroot_script_cmd() so there's no need to mount sandbox.py in.

diff --git a/mkosi/run.py b/mkosi/run.py
index 5be80a4537230cd1c54313be739e47bc51dded6c..7dbeba096ed5cb3d0e2638b3fb7da38de5bac1cd 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -491,10 +491,6 @@ def sandbox_cmd(
         # used instead.
         "--unsetenv", "TMPDIR",
         *network_options(network=network),
-        # apivfs_script_cmd() and chroot_script_cmd() are executed from within the sandbox, but they still
-        # use sandbox.py, so we make sure it is available inside the sandbox so it can be executed there as
-        # well.
-        "--ro-bind", Path(mkosi.sandbox.__file__), "/sandbox.py",
     ]  # fmt: skip
 
     if overlay and (overlay / "usr").exists():
@@ -548,6 +544,10 @@ def sandbox_cmd(
             "--dir", "/var/tmp",
             "--dir", "/var/log",
             "--unshare-ipc",
+            # apivfs_script_cmd() and chroot_script_cmd() are executed from within the sandbox, but they
+            # still use sandbox.py, so we make sure it is available inside the sandbox so it can be executed
+            # there as well.
+            "--ro-bind", Path(mkosi.sandbox.__file__), "/sandbox.py",
         ]  # fmt: skip
 
         if devices: