Always add /var/tmp to the sandbox

Now that we don't have to worry anymore about various operations
conflicting with other sandbox mounts, let's always add /var/tmp
to the sandbox again (we originally stopped doing this to make sure
rmtree() could remove directories in /var/tmp).

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 214fa04f45ee7dda6df648b63b6957971eb23f07..5bc54482283cd9f6c405283b760af089981fbd87 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -499,7 +499,6 @@ def run_configure_scripts(config: Config) -> Config:
                     env=env | config.environment,
                     sandbox=config.sandbox(
                         binary=None,
-                        vartmp=True,
                         options=[
                             "--dir", "/work/src",
                             "--chdir", "/work/src",
@@ -573,7 +572,6 @@ def run_sync_scripts(config: Config) -> None:
                     sandbox=config.sandbox(
                         binary=None,
                         network=True,
-                        vartmp=True,
                         options=options,
                         sandbox_tree=Path(sandbox_tree),
                     ),
@@ -613,7 +611,6 @@ def script_maybe_chroot_sandbox(
             with context.sandbox(
                 binary=None,
                 network=network,
-                vartmp=True,
                 options=[
                     *options,
                     "--bind", context.root, "/buildroot",
@@ -948,7 +945,6 @@ def run_postoutput_scripts(context: Context) -> None:
                     env=env | context.config.environment,
                     sandbox=context.sandbox(
                         binary=None,
-                        vartmp=True,
                         # postoutput scripts should run as (fake) root so that file ownership is always recorded as if
                         # owned by root.
                         options=[
@@ -2703,7 +2699,6 @@ def make_image(
                         not context.config.repart_offline or
                         context.config.verity_key_source.type != KeySourceType.file
                     ),
-                    vartmp=True,
                     options=options,
                 ),
             ).stdout
@@ -2986,7 +2981,6 @@ def make_extension_image(context: Context, output: Path) -> None:
                         not context.config.repart_offline or
                         context.config.verity_key_source.type != KeySourceType.file
                     ),
-                    vartmp=True,
                     options=options,
                 ),
             ).stdout
@@ -3103,10 +3097,9 @@ def copy_repository_metadata(config: Config, dst: Path) -> None:
                 def sandbox(
                     *,
                     binary: Optional[PathString],
-                    vartmp: bool = False,
                     options: Sequence[PathString] = (),
                 ) -> AbstractContextManager[list[PathString]]:
-                    return config.sandbox(binary=binary, vartmp=vartmp, options=[*options, *exclude])
+                    return config.sandbox(binary=binary, options=[*options, *exclude])
 
                 copy_tree(src, subdst, preserve=False, sandbox=sandbox)
 
@@ -3360,7 +3353,6 @@ def run_shell(args: Args, config: Config) -> None:
                     binary="systemd-repart",
                     network=True,
                     devices=True,
-                    vartmp=True,
                     options=["--bind", fname, fname],
                 ),
             )
@@ -3703,7 +3695,6 @@ def run_clean_scripts(config: Config) -> None:
                     env=env | config.environment,
                     sandbox=config.sandbox(
                         binary=None,
-                        vartmp=True,
                         tools=False,
                         options=[
                             "--dir", "/work/src",

diff --git a/mkosi/config.py b/mkosi/config.py
index e25eecab223d0f4b917b057b68df1aa81a4fcc42..07022bce270096297e0c9871bbe0d07c155a675f 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1770,7 +1770,6 @@ class Config:
         binary: Optional[PathString],
         network: bool = False,
         devices: bool = False,
-        vartmp: bool = False,
         relaxed: bool = False,
         tools: bool = True,
         scripts: Optional[Path] = None,
@@ -1805,7 +1804,6 @@ class Config:
         return sandbox_cmd(
             network=network,
             devices=devices,
-            vartmp=vartmp,
             relaxed=relaxed,
             scripts=scripts,
             tools=self.tools() if tools else Path("/"),

diff --git a/mkosi/context.py b/mkosi/context.py
index 5f2ae122289ed73e61e42d31b6add1cb5a099cda..914228ae14f98d73d34b284eb89718bfd7a877e3 100644 (file)
--- a/mkosi/context.py
+++ b/mkosi/context.py
@@ -66,7 +66,6 @@ class Context:
         binary: Optional[PathString],
         network: bool = False,
         devices: bool = False,
-        vartmp: bool = False,
         scripts: Optional[Path] = None,
         options: Sequence[PathString] = (),
     ) -> AbstractContextManager[list[PathString]]:
@@ -74,7 +73,6 @@ class Context:
             binary=binary,
             network=network,
             devices=devices,
-            vartmp=vartmp,
             scripts=scripts,
             sandbox_tree=self.sandbox_tree,
             options=options,

diff --git a/mkosi/installer/__init__.py b/mkosi/installer/__init__.py
index 8a5468f5ca7b4515fc7af2d746a0b98319158e3a..fca89e20ac9572b7449c3c846b72fd858423e6ed 100644 (file)
--- a/mkosi/installer/__init__.py
+++ b/mkosi/installer/__init__.py
@@ -129,7 +129,6 @@ class PackageManager:
         return context.sandbox(
             binary=cls.executable(context.config),
             network=True,
-            vartmp=True,
             options=[
                 "--bind", context.root, "/buildroot",
                 *cls.mounts(context),

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index ba66c7ed7c4c8c320ec3e130e315f3adb3e0ea56..a6d84d931ae38ae727f57c1d31a5e3a61d8eaae4 100644 (file)
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -1014,7 +1014,6 @@ def run_qemu(args: Args, config: Config) -> None:
                 ],
                 sandbox=config.sandbox(
                     binary="systemd-repart",
-                    vartmp=True,
                     options=[
                         "--bind", fname.parent, workdir(fname.parent),
                         "--ro-bind", src, workdir(src),

diff --git a/mkosi/run.py b/mkosi/run.py
index b7a12f8339794d32e5a78ba60ff6590f895097e7..8c46e93b05ac6056011aa3ea0c9ed3bd7529ccf4 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -387,7 +387,6 @@ class SandboxProtocol(Protocol):
         self,
         *,
         binary: Optional[PathString],
-        vartmp: bool = False,
         options: Sequence[PathString] = (),
     ) -> AbstractContextManager[list[PathString]]: ...
 
@@ -395,7 +394,6 @@ class SandboxProtocol(Protocol):
 def nosandbox(
     *,
     binary: Optional[PathString],
-    vartmp: bool = False,
     options: Sequence[PathString] = (),
 ) -> AbstractContextManager[list[PathString]]:
     return contextlib.nullcontext([])
@@ -446,7 +444,6 @@ def sandbox_cmd(
     *,
     network: bool = False,
     devices: bool = False,
-    vartmp: bool = False,
     scripts: Optional[Path] = None,
     tools: Path = Path("/"),
     relaxed: bool = False,
@@ -535,7 +532,7 @@ def sandbox_cmd(
     if scripts:
         cmdline += ["--ro-bind", scripts, "/scripts"]
 
-    with vartmpdir(condition=vartmp and not relaxed) as dir:
+    with vartmpdir(condition=not relaxed) as dir:
         if dir:
             cmdline += ["--bind", dir, "/var/tmp"]