sandbox: Akways use O_EXCL with O_CREAT

In all cases we want to make sure that we're the ones creating the
file so let's specify O_EXCL.

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 71ab7bd7569f628db7bca7758ee135705b6d35cf..47ea56493319afbc83b9cf387ec8e25e5124ac6b 100755 (executable)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -472,7 +472,7 @@ class BindOperation(FSOperation):
 
             with umask(~0o644 if isfile else ~0o755):
                 if isfile:
-                    os.close(os.open(dst, os.O_CREAT | os.O_CLOEXEC))
+                    os.close(os.open(dst, os.O_CREAT | os.O_CLOEXEC | os.O_EXCL))
                 else:
                     os.mkdir(dst)
 
@@ -506,7 +506,7 @@ class DevOperation(FSOperation):
 
         for node in ("null", "zero", "full", "random", "urandom", "tty"):
             ndst = joinpath(dst, node)
-            os.close(os.open(ndst, os.O_CREAT | os.O_CLOEXEC))
+            os.close(os.open(ndst, os.O_CREAT | os.O_CLOEXEC | os.O_EXCL))
 
             mount(joinpath(oldroot, "dev", node), ndst, "", MS_BIND, "")
 
@@ -526,7 +526,7 @@ class DevOperation(FSOperation):
         os.symlink("pts/ptmx", joinpath(dst, "ptmx"))
 
         if self.ttyname:
-            os.close(os.open(joinpath(dst, "console"), os.O_CREAT | os.O_CLOEXEC))
+            os.close(os.open(joinpath(dst, "console"), os.O_CREAT | os.O_CLOEXEC | os.O_EXCL))
             mount(joinpath(oldroot, self.ttyname), joinpath(dst, "console"), "", MS_BIND, "")