Remove uidmap argument from start_virtiofsd()

Instead, automatically infer whether it's required or not based on
the owner of the directory we're passing in.

Also make whether we do selinux or not an explicit argument, and do
the same for the name used for the virtiofsd scope.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 07c44cba2d977dd451d3ef2b8403a5ced990b866..f7c3c8395f23baa13402bf819b165ad88cae6c36 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3858,7 +3858,8 @@ def run_shell(args: Args, config: Config) -> None:
             # source directory which would mean we'd be mounting the container root directory as a subdirectory in
             # itself which tends to lead to all kinds of weird issues, which we avoid by not doing a recursive mount
             # which means the container root directory mounts will be skipped.
-            cmdline += ["--bind", f"{tree.source}:{target}:norbind,rootidmap"]
+            uidmap = "rootidmap" if tree.source.stat().st_uid == INVOKING_USER.uid else "noidmap"
+            cmdline += ["--bind", f"{tree.source}:{target}:norbind,{uidmap}"]
 
         if config.runtime_scratch == ConfigFeature.enabled or (
             config.runtime_scratch == ConfigFeature.auto and

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index 3ca175d195b2029db64f5b45d9a6ed67de8ab11e..263e85f71f588ef1d050519a078135f48f1a3c66 100644 (file)
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -298,7 +298,9 @@ def find_virtiofsd(*, tools: Path = Path("/")) -> Optional[Path]:
 
 
 @contextlib.contextmanager
-def start_virtiofsd(config: Config, directory: Path, *, uidmap: bool) -> Iterator[Path]:
+def start_virtiofsd(config: Config, directory: Path, *, name: str, selinux: bool = False) -> Iterator[Path]:
+    uidmap = directory.stat().st_uid == INVOKING_USER.uid
+
     virtiofsd = find_virtiofsd(tools=config.tools())
     if virtiofsd is None:
         die("virtiofsd must be installed to boot directory images or use RuntimeTrees= with mkosi qemu")
@@ -314,7 +316,7 @@ def start_virtiofsd(config: Config, directory: Path, *, uidmap: bool) -> Iterato
         f"--inode-file-handles={'prefer' if os.getuid() == 0 and not uidmap else 'never'}",
     ]
 
-    if not uidmap and want_selinux_relabel(config, directory, fatal=False):
+    if selinux:
         cmdline += ["--security-label"]
 
     # We create the socket ourselves and pass the fd to virtiofsd to avoid race conditions where we start qemu
@@ -354,7 +356,7 @@ def start_virtiofsd(config: Config, directory: Path, *, uidmap: bool) -> Iterato
         ) as proc:
             allocate_scope(
                 config,
-                name=f"mkosi-virtiofsd-{directory}" if uidmap else f"mkosi-virtiofsd-{config.machine_or_name()}",
+                name=f"mkosi-virtiofsd-{name}",
                 pid=proc.pid,
                 description=f"virtiofsd for {directory}",
             )
@@ -938,7 +940,13 @@ def run_qemu(args: Args, config: Config) -> None:
 
                 kcl += [root]
             elif config.output_format == OutputFormat.directory:
-                sock = stack.enter_context(start_virtiofsd(config, fname, uidmap=False))
+                sock = stack.enter_context(
+                    start_virtiofsd(
+                        config,
+                        fname,
+                        name=config.machine_or_name(),
+                        selinux=bool(want_selinux_relabel(config, fname, fatal=False))),
+                )
                 cmdline += [
                     "-chardev", f"socket,id={sock.name},path={sock}",
                     "-device", f"vhost-user-fs-pci,queue-size=1024,chardev={sock.name},tag=root",
@@ -946,7 +954,7 @@ def run_qemu(args: Args, config: Config) -> None:
                 kcl += ["root=root", "rootfstype=virtiofs", "rw"]
 
         for tree in config.runtime_trees:
-            sock = stack.enter_context(start_virtiofsd(config, tree.source, uidmap=True))
+            sock = stack.enter_context(start_virtiofsd(config, tree.source, name=os.fspath(tree.source)))
             tag = tree.target.name if tree.target else tree.source.name
             cmdline += [
                 "-chardev", f"socket,id={sock.name},path={sock}",