Make's bwrap() read-only logic optional

author Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 23 Aug 2023 11:16:44 +0000 (13:16 +0200)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 23 Aug 2023 11:20:22 +0000 (13:20 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 23 Aug 2023 11:16:44 +0000 (13:16 +0200)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 23 Aug 2023 11:20:22 +0000 (13:20 +0200)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index be92c96c715551185a83af8be5201cc996837484..ab94e45acb2d58ad19bdf24d862084eb1ce63eb8 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -267,6 +267,7 @@ def run_prepare_script(state: MkosiState, build: bool) -> None:
              bwrap(
                  [state.config.prepare_script, "build"],
                  network=True,
+                readonly=True,
                  options=finalize_mounts(state.config),
                  scripts={"mkosi-chroot": chroot} | package_manager_scripts(state),
                  env=env | state.config.environment,
@@ -277,6 +278,7 @@ def run_prepare_script(state: MkosiState, build: bool) -> None:
              bwrap(
                  [state.config.prepare_script, "final"],
                  network=True,
+                readonly=True,
                  options=finalize_mounts(state.config),
                  scripts={"mkosi-chroot": chroot} | package_manager_scripts(state),
                  env=env | state.config.environment,
@@ -330,6 +332,7 @@ def run_build_script(state: MkosiState) -> None:
          bwrap(
              [state.config.build_script],
              network=state.config.with_network,
+            readonly=True,
              options=finalize_mounts(state.config),
              scripts={"mkosi-chroot": chroot} | package_manager_scripts(state),
              env=env | state.config.environment,
@@ -367,6 +370,7 @@ def run_postinst_script(state: MkosiState) -> None:
          bwrap(
              [state.config.postinst_script, "final"],
              network=state.config.with_network,
+            readonly=True,
              options=finalize_mounts(state.config),
              scripts={"mkosi-chroot": chroot} | package_manager_scripts(state),
              env=env | state.config.environment,
@@ -404,6 +408,7 @@ def run_finalize_script(state: MkosiState) -> None:
          bwrap(
              [state.config.finalize_script],
              network=state.config.with_network,
+            readonly=True,
              options=finalize_mounts(state.config),
              scripts={"mkosi-chroot": chroot} | package_manager_scripts(state),
              env=env | state.config.environment,
diff --git a/mkosi/distributions/gentoo.py b/mkosi/distributions/gentoo.py

index 2216d6565033fe4643fed66eeeda8e1a70ba1daa..fde88233f465db18fe5bb8f36dc15a103beff352 100644 (file)
--- a/mkosi/distributions/gentoo.py
+++ b/mkosi/distributions/gentoo.py
@@ -15,7 +15,7 @@ from mkosi.run import apivfs_cmd, bwrap, chroot_cmd, run
  from mkosi.state import MkosiState
  from mkosi.tree import copy_tree, rmtree
  from mkosi.types import PathString
-from mkosi.util import flatten, sort_packages
+from mkosi.util import sort_packages
  
  
  def invoke_emerge(state: MkosiState, packages: Sequence[str] = (), apivfs: bool = True) -> None:
@@ -49,7 +49,6 @@ def invoke_emerge(state: MkosiState, packages: Sequence[str] = (), apivfs: bool
              "--bind", state.cache_dir / "stage3/var", "/var",
              "--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf",
              "--bind", state.cache_dir / "repos", "/var/db/repos",
-            *flatten(["--bind", str(d), str(d)] for d in (state.config.workspace_dir, state.config.cache_dir) if d),
          ],
          env=dict(
              PKGDIR=str(state.cache_dir / "binpkgs"),
@@ -145,8 +144,7 @@ class GentooInstaller(DistributionInstaller):
              options=["--bind", state.cache_dir / "repos", "/var/db/repos"],
          )
  
-        bwrap(cmd=chroot + ["emerge-webrsync"], network=True,
-              options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d))
+        bwrap(cmd=chroot + ["emerge-webrsync"], network=True)
  
          invoke_emerge(state, packages=["sys-apps/baselayout"], apivfs=False)
  
diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py

index d84a71a6b92870c7b15d8a626a747677037b5f6b..50a0162c2a168dd64b05a7f838f16bd934fe7960 100644 (file)
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -6,7 +6,7 @@ from collections.abc import Sequence
  from mkosi.run import apivfs_cmd, bwrap
  from mkosi.state import MkosiState
  from mkosi.types import PathString
-from mkosi.util import flatten, sort_packages, umask
+from mkosi.util import sort_packages, umask
  
  
  def setup_apt(state: MkosiState, repos: Sequence[str]) -> None:
@@ -107,5 +107,4 @@ def invoke_apt(
  ) -> None:
      cmd = apivfs_cmd(state.root) if apivfs else []
      bwrap(cmd + apt_cmd(state, command) + [operation, *sort_packages(packages)],
-          options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d),
            network=True, env=state.config.environment)
diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py

index c9bab7f221d3d8ed750f37e41f15676ffb7d4aa7..83522caed001c5279fb3db383968a284479f4da9 100644 (file)
--- a/mkosi/installer/dnf.py
+++ b/mkosi/installer/dnf.py
@@ -10,7 +10,7 @@ from mkosi.run import apivfs_cmd, bwrap
  from mkosi.state import MkosiState
  from mkosi.tree import rmtree
  from mkosi.types import PathString
-from mkosi.util import flatten, sort_packages
+from mkosi.util import sort_packages
  
  
  class Repo(NamedTuple):
@@ -116,7 +116,6 @@ def dnf_cmd(state: MkosiState) -> list[PathString]:
  def invoke_dnf(state: MkosiState, command: str, packages: Iterable[str], apivfs: bool = True) -> None:
      cmd = apivfs_cmd(state.root) if apivfs else []
      bwrap(cmd + dnf_cmd(state) + [command, *sort_packages(packages)],
-          options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d),
            network=True, env=state.config.environment)
  
      fixup_rpmdb_location(state.root)
diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py

index af7dfc90bcc89a63ae7fc2cd2e4c76c152eeaf85..4b0489b45d2bef7a5158d058dc2e05fa3ad82eda 100644 (file)
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -8,7 +8,7 @@ from mkosi.config import ConfigFeature
  from mkosi.run import apivfs_cmd, bwrap
  from mkosi.state import MkosiState
  from mkosi.types import PathString
-from mkosi.util import flatten, sort_packages, umask
+from mkosi.util import sort_packages, umask
  
  
  def setup_pacman(state: MkosiState) -> None:
@@ -113,5 +113,4 @@ def pacman_cmd(state: MkosiState) -> list[PathString]:
  def invoke_pacman(state: MkosiState, packages: Sequence[str], apivfs: bool = True) -> None:
      cmd = apivfs_cmd(state.root) if apivfs else []
      bwrap(cmd + pacman_cmd(state) + ["-Sy", *sort_packages(packages)],
-          options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d),
            network=True, env=state.config.environment)
diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py

index 16cf030aac3b9f3fa55ff345b99bcdc557ad13d8..3b4b7f575ee49141de9c0557a68fecbc3182a8c8 100644 (file)
--- a/mkosi/installer/zypper.py
+++ b/mkosi/installer/zypper.py
@@ -6,7 +6,7 @@ from mkosi.installer.dnf import Repo, fixup_rpmdb_location
  from mkosi.run import apivfs_cmd, bwrap
  from mkosi.state import MkosiState
  from mkosi.types import PathString
-from mkosi.util import flatten, sort_packages
+from mkosi.util import sort_packages
  
  
  def setup_zypper(state: MkosiState, repos: Sequence[Repo]) -> None:
@@ -70,7 +70,6 @@ def invoke_zypper(
  ) -> None:
      cmd = apivfs_cmd(state.root) if apivfs else []
      bwrap(cmd + zypper_cmd(state) + [verb, *sort_packages(packages), *options],
-          options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d),
            network=True, env=state.config.environment)
  
      fixup_rpmdb_location(state.root)
diff --git a/mkosi/run.py b/mkosi/run.py

index 87e8a5a950b0e8c84236b86445b64b4ae6e052a2..80b1a88fb0a893f8378060a8c8ff01813deea4d4 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -272,6 +272,7 @@ def bwrap(
      cmd: Sequence[PathString],
      *,
      network: bool = False,
+    readonly: bool = False,
      options: Sequence[PathString] = (),
      log: bool = True,
      scripts: Mapping[str, Sequence[PathString]] = {},
@@ -282,12 +283,19 @@ def bwrap(
      cmdline: list[PathString] = [
          "bwrap",
          "--dev-bind", "/", "/",
-        "--remount-ro", "/",
-        "--ro-bind", "/root", "/root",
-        "--ro-bind", "/home", "/home",
-        "--ro-bind", "/var", "/var",
-        "--ro-bind", "/run", "/run",
-        "--bind", "/var/tmp", "/var/tmp",
+    ]
+
+    if readonly:
+        cmdline += [
+            "--remount-ro", "/",
+            "--ro-bind", "/root", "/root",
+            "--ro-bind", "/home", "/home",
+            "--ro-bind", "/var", "/var",
+            "--ro-bind", "/run", "/run",
+            "--bind", "/var/tmp", "/var/tmp",
+        ]
+
+    cmdline += [
          "--tmpfs", "/tmp",
          "--bind", Path.cwd(), Path.cwd(),
          "--chdir", Path.cwd(),
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 23 Aug 2023 11:16:44 +0000 (13:16 +0200)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 23 Aug 2023 11:20:22 +0000 (13:20 +0200)
mkosi/__init__.py		patch \| blob \| blame \| history
mkosi/distributions/gentoo.py		patch \| blob \| blame \| history
mkosi/installer/apt.py		patch \| blob \| blame \| history
mkosi/installer/dnf.py		patch \| blob \| blame \| history
mkosi/installer/pacman.py		patch \| blob \| blame \| history
mkosi/installer/zypper.py		patch \| blob \| blame \| history
mkosi/run.py		patch \| blob \| blame \| history