Don't drop privileges when running qemu and invoked as root

Depending on the environment and what options are used, running qemu
might require root privileges. So if we're invoked as root and we're
going to run qemu, let's not drop privileges.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 423665780584fb2a8afcab972da8ac5163eb5110..006efbd4723942da9d837d7a7b85a7ed2682b4a7 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1719,6 +1719,7 @@ def run_verb(args: MkosiArgs, presets: Sequence[MkosiConfig]) -> None:
     for config in presets:
         try_import(f"mkosi.distributions.{config.distribution}")
 
+    invoked_as_root = os.getuid() == 0
     name = InvokingUser.name()
 
     # Get the user UID/GID either on the host or in the user namespace running the build
@@ -1786,8 +1787,10 @@ def run_verb(args: MkosiArgs, presets: Sequence[MkosiConfig]) -> None:
     with mount_usr(last.tools_tree, umount=False), mount_passwd(name, uid, gid, umount=False):
 
         # After mounting the last tools tree, if we're not going to execute systemd-nspawn, we don't need to
-        # be (fake) root anymore, so switch user to the invoking user.
-        if args.verb not in (Verb.shell, Verb.boot):
+        # be (fake) root anymore, so switch user to the invoking user. If we're going to invoke qemu and
+        # mkosi was executed as root, we also don't drop privileges as depending on the environment and
+        # options passed, running qemu might need root privileges as well.
+        if not args.verb.needs_root() and (args.verb != Verb.qemu or not invoked_as_root):
             os.setresgid(gid, gid, gid)
             os.setresuid(uid, uid, uid)