Sandbox permission fixes

author Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 21 Feb 2024 17:49:11 +0000 (18:49 +0100)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Thu, 22 Feb 2024 12:31:19 +0000 (13:31 +0100)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 21 Feb 2024 17:49:11 +0000 (18:49 +0100)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Thu, 22 Feb 2024 12:31:19 +0000 (13:31 +0100)
diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py

index 62f7fb2881af1ab67103660450f5278dcb70c516..053a928c59f01b0055c3316115fae14ad5584631 100644 (file)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -177,9 +177,13 @@ def sandbox_cmd(
  
      # bubblewrap creates everything with a restricted mode so relax stuff as needed.
      ops = []
-    if not devices:
+    if not devices and not relaxed:
          ops += ["chmod 1777 /dev/shm"]
-    if not relaxed:
+    if relaxed and INVOKING_USER.home().exists() and len(INVOKING_USER.home().parents) > 1:
+        # We might mount a subdirectory of /home so /home will be created with the wrong permissions by bubblewrap so
+        # we need to fix up the permissions.
+        ops += [f"chmod 755 {list(INVOKING_USER.home().parents)[-1]}"]
+    else:
          ops += ["chmod 755 /etc"]
      ops += ["exec $0 \"$@\""]
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 21 Feb 2024 17:49:11 +0000 (18:49 +0100)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Thu, 22 Feb 2024 12:31:19 +0000 (13:31 +0100)