Don't remount directory read-only if output directory is located in it

author Daan De Meyer <daan.j.demeyer@gmail.com>

Tue, 1 Oct 2024 07:44:36 +0000 (09:44 +0200)

committer Jörg Behrmann <behrmann@physik.fu-berlin.de>

Tue, 1 Oct 2024 08:45:56 +0000 (10:45 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Tue, 1 Oct 2024 07:44:36 +0000 (09:44 +0200)
committer Jörg Behrmann <behrmann@physik.fu-berlin.de>
Tue, 1 Oct 2024 08:45:56 +0000 (10:45 +0200)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index bb42fbd783742b6cb8a895d0d90e3f83b2936e4a..b1a73fe43e4cee69e0fcb498bb43d32d744791d1 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4184,18 +4184,18 @@ def run_build(
      if os.getuid() == 0:
          mount("", "/", "", MS_SLAVE | MS_REC, "")
  
-    # For extra safety when running as root, remount a bunch of stuff read-only. Because some build systems
-    # use output directories in /usr, we only remount /usr read-only if the output directory is not relative
-    # to it.
+    # For extra safety when running as root, remount a bunch of directories read-only unless the output
+    # directory is located in it.
      if os.getuid() == 0:
-        remount = ["/etc", "/opt", "/boot", "/efi", "/media"]
-        if not config.output_dir_or_cwd().is_relative_to("/usr"):
-            remount += ["/usr"]
+        remount = ["/etc", "/opt", "/boot", "/efi", "/media", "/usr"]
  
          for d in remount:
              if not Path(d).exists():
                  continue
  
+            if config.output_dir_or_cwd().is_relative_to(d):
+                continue
+
              attrs = MOUNT_ATTR_RDONLY
              if d not in ("/usr", "/opt"):
                  attrs |= MOUNT_ATTR_NOSUID | MOUNT_ATTR_NODEV | MOUNT_ATTR_NOEXEC
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Tue, 1 Oct 2024 07:44:36 +0000 (09:44 +0200)
committer	Jörg Behrmann <behrmann@physik.fu-berlin.de>
	Tue, 1 Oct 2024 08:45:56 +0000 (10:45 +0200)