Add mkosi-as-caller helper

This helper can be used to replace the following pattern which is similar to
something used in the systemd codebase:

SU="setpriv --reuid=${MKOSI_UID:-0} --regid=${MKOSI_GID:-0} --clear-groups"
$SU meson setup "$BUILDDIR/build" "$SRCDIR"
$SU meson compile -C "$BUILDDIR/build"
meson install -C "$BUILDDIR/build" --no-rebuild

With the helper this becomes:

mkosi-as-caller meson setup "$BUILDDIR/build" "$SRCDIR"
mkosi-as-caller meson compile -C "$BUILDDIR/build"
meson install -C "$BUILDDIR/build" --no-rebuild

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 21bd8af6ce39fe24b00371f31c27a57ce328d488..90178a185b2194a72c6a5e217a82557a974f6c3b 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -76,6 +76,12 @@ from mkosi.versioncomp import GenericVersion
 
 MINIMUM_SYSTEMD_VERSION = GenericVersion("254")
 
+MKOSI_AS_CALLER = (
+    "setpriv",
+    f"--reuid={INVOKING_USER.uid}",
+    f"--regid={INVOKING_USER.gid}",
+    "--clear-groups",
+)
 
 @contextlib.contextmanager
 def mount_base_trees(state: MkosiState) -> Iterator[None]:
@@ -412,6 +418,7 @@ def run_prepare_scripts(state: MkosiState, build: bool) -> None:
                         "--setenv", "BUILDROOT", "/",
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             hd = stack.enter_context(finalize_host_scripts(state, helpers))
@@ -479,6 +486,7 @@ def run_build_scripts(state: MkosiState) -> None:
                         *(["--setenv", "BUILDDIR", "/work/build"] if state.config.build_dir else []),
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             cmdline = state.args.cmdline if state.args.verb == Verb.build else []
@@ -530,6 +538,7 @@ def run_postinst_scripts(state: MkosiState) -> None:
                         "--setenv", "BUILDROOT", "/",
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             with (
@@ -579,6 +588,7 @@ def run_finalize_scripts(state: MkosiState) -> None:
                         "--setenv", "BUILDROOT", "/",
                     ],
                 ),
+                "mkosi-as-caller" : MKOSI_AS_CALLER,
             }
 
             with (

diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index 2834c745b474a2f3bb8af7bd9dec77072b7c784c..0f90808779ce47d18841bf3b46e14eaade479cf1 100644 (file)
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -1638,6 +1638,23 @@ available via `$PATH` to simplify common usecases.
   the host system. This means that from a script, you can do e.g.
   `dnf install vim` to install vim into the image.
 
+* `mkosi-as-caller`: This script uses `setpriv` to switch from
+  the user `root` in the user namespace used for various build steps
+  back to the original user that called mkosi. This is useful when
+  we want to invoke build steps which will write to $BUILDDIR and
+  we want to have the files owned by the calling user.
+
+  For example, a complete `mkosi.build` script might be the following:
+
+  ```sh
+  set -ex
+
+  rm -rf "$BUILDDIR/build"
+  mkosi-as-caller meson setup "$BUILDDIR/build" "$SRCDIR"
+  mkosi-as-caller meson compile -C "$BUILDDIR/build"
+  meson install -C "$BUILDDIR/build" --no-rebuild
+  ```
+
 When scripts are executed, any directories that are still writable are
 also made read-only (`/home`, `/var`, `/root`, ...) and only the minimal set
 of directories that need to be writable remain writable. This is to