Always run as root in Context sandbox

If there's files in /usr in the package manager tree, we need to
be running as root to mount an overlayfs on top of /usr so make
sure we are always root in the Context sandbox.

diff --git a/mkosi/context.py b/mkosi/context.py
index e1d146e2469bf220fb8d61cea4895e94c0bd44e5..c0b85e4853a74a1788f44afa12ece14965a2e690 100644 (file)
--- a/mkosi/context.py
+++ b/mkosi/context.py
@@ -80,6 +80,9 @@ class Context:
             devices=devices,
             scripts=scripts,
             options=[
+                "--uid", "0",
+                "--gid", "0",
+                "--cap-add", "ALL",
                 # These mounts are writable so bubblewrap can create extra directories or symlinks inside of it as
                 # needed. This isn't a problem as the package manager directory is created by mkosi and thrown away
                 # when the build finishes.

diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index 45969da5983d16e2ba8cc6d95dae8469cd2f9562..b1b6282c31f179503e97e8b4ac2d1d124049f1ff 100644 (file)
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -165,9 +165,6 @@ class Pacman(PackageManager):
                             *cls.mounts(context),
                             *sources,
                             "--chdir", "/work/src",
-                            # pacman will fail unless invoked as root so make sure we're uid/gid 0 in the sandbox.
-                            "--uid", "0",
-                            "--gid", "0",
                         ],
                     ) + (apivfs_cmd(context.root) if apivfs else [])
                 ),