Stop using bwrap() for systemd-dissect

systemd-dissect needs to mount stuff in the current mount namespace,
bwrap always creates a new mount namespace, so we can't sandbox
systemd-dissect.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index ffb26d1f1d4317d78d5471949f63f99cca86f82b..69a4cc2fbc52fbe018b34911f003a7d096cbdfe0 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -102,8 +102,8 @@ def mount_base_trees(context: Context) -> Iterator[None]:
                 extract_tar(context, path, d)
                 bases += [d]
             elif path.suffix == ".raw":
-                bwrap(context, ["systemd-dissect", "-M", path, d])
-                stack.callback(lambda: bwrap(context, ["systemd-dissect", "-U", d]))
+                run(["systemd-dissect", "-M", path, d])
+                stack.callback(lambda: run(["systemd-dissect", "-U", d]))
                 bases += [d]
             else:
                 die(f"Unsupported base tree source {path}")