Don't remount /usr read-only if the output dir is inside of it

Because some build systems use output directories in /usr, let's only remount
/usr read-only if the output directory is not relative to it.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 4c35cbe35e741339533c5da0fa5d05c699d0fa00..20da3751011d4f99744cb8ce4f5983b0d1968ac4 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3975,7 +3975,13 @@ def run_build(args: Args, config: Config, *, resources: Path) -> None:
         run(["mount", "--make-rslave", "/"])
 
     # For extra safety when running as root, remount a bunch of stuff read-only.
-    for d in ("/usr", "/etc", "/opt", "/boot", "/efi", "/media"):
+    # Because some build systems use output directories in /usr, we only remount
+    # /usr read-only if the output directory is not relative to it.
+    remount = ["/etc", "/opt", "/boot", "/efi", "/media"]
+    if not config.output_dir_or_cwd().is_relative_to("/usr"):
+        remount += ["/usr"]
+
+    for d in remount:
         if Path(d).exists():
             run(["mount", "--rbind", d, d, "--options", "ro"])