Make /var/tmp optional for sandbox

Let's only create a custom /var/tmp directory for some commands instead
of all of them.

We only create a custom /var/tmp for systemd-repart and scripts as other
commands shouldn't have need for a separate /var/tmp that's stored on disk.

Fixes #2792

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 86f0a03c41e5ab4f4bd7b8b4184571428baf04be..ae6523e637d5d2e447e3965aa342564ecaead074 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -463,6 +463,7 @@ def run_configure_scripts(config: Config) -> Config:
                     env=env | config.environment,
                     sandbox=config.sandbox(
                         binary=None,
+                        vartmp=True,
                         mounts=[*sources, Mount(script, "/work/configure", ro=True)],
                         options=["--dir", "/work/src", "--chdir", "/work/src"]
                     ),
@@ -526,6 +527,7 @@ def run_sync_scripts(context: Context) -> None:
                     sandbox=context.sandbox(
                         binary=None,
                         network=True,
+                        vartmp=True,
                         mounts=mounts,
                         options=["--dir", "/work/src", "--chdir", "/work/src"]
                     ),
@@ -593,6 +595,7 @@ def run_prepare_scripts(context: Context, build: bool) -> None:
                     sandbox=context.sandbox(
                         binary=None,
                         network=True,
+                        vartmp=True,
                         mounts=[
                             *sources,
                             Mount(script, "/work/prepare", ro=True),
@@ -672,6 +675,7 @@ def run_build_scripts(context: Context) -> None:
                     sandbox=context.sandbox(
                         binary=None,
                         network=context.config.with_network,
+                        vartmp=True,
                         mounts=[
                             *sources,
                             Mount(script, "/work/build-script", ro=True),
@@ -749,6 +753,7 @@ def run_postinst_scripts(context: Context) -> None:
                     sandbox=context.sandbox(
                         binary=None,
                         network=context.config.with_network,
+                        vartmp=True,
                         mounts=[
                             *sources,
                             Mount(script, "/work/postinst", ro=True),
@@ -814,6 +819,7 @@ def run_finalize_scripts(context: Context) -> None:
                     sandbox=context.sandbox(
                         binary=None,
                         network=context.config.with_network,
+                        vartmp=True,
                         mounts=[
                             *sources,
                             Mount(script, "/work/finalize", ro=True),
@@ -859,6 +865,7 @@ def run_postoutput_scripts(context: Context) -> None:
                     env=env | context.config.environment,
                     sandbox=context.sandbox(
                         binary=None,
+                        vartmp=True,
                         mounts=[
                             *sources,
                             Mount(script, "/work/postoutput", ro=True),
@@ -3361,6 +3368,7 @@ def make_image(
                         not context.config.repart_offline or
                         context.config.verity_key_source.type != KeySource.Type.file
                     ),
+                    vartmp=True,
                     mounts=mounts,
                 ),
             ).stdout
@@ -3640,6 +3648,7 @@ def make_extension_image(context: Context, output: Path) -> None:
                         not context.config.repart_offline or
                         context.config.verity_key_source.type != KeySource.Type.file
                     ),
+                    vartmp=True,
                     mounts=mounts,
                 ),
             ).stdout
@@ -3769,10 +3778,11 @@ def copy_repository_metadata(context: Context) -> None:
                 def sandbox(
                     *,
                     binary: Optional[PathString],
+                    vartmp: bool = False,
                     mounts: Sequence[Mount] = (),
                     extra: Sequence[PathString] = (),
                 ) -> AbstractContextManager[list[PathString]]:
-                    return context.sandbox(binary=binary, mounts=[*mounts, *exclude], extra=extra)
+                    return context.sandbox(binary=binary, vartmp=vartmp, mounts=[*mounts, *exclude], extra=extra)
 
                 copy_tree(
                     src, dst,
@@ -4059,6 +4069,7 @@ def run_shell(args: Args, config: Config) -> None:
                     binary="systemd-repart",
                     network=True,
                     devices=True,
+                    vartmp=True,
                     mounts=[Mount(fname, fname)],
                 ),
             )
@@ -4424,6 +4435,7 @@ def run_clean_scripts(config: Config) -> None:
                     env=env | config.environment,
                     sandbox=config.sandbox(
                         binary=None,
+                        vartmp=True,
                         tools=False,
                         mounts=[
                             *sources,

diff --git a/mkosi/config.py b/mkosi/config.py
index 20fbcba0ec7137545844276b6c62c583bc603acc..ad7a94ab8413af3111b1399186680b19ab10f93c 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1703,6 +1703,7 @@ class Config:
         binary: Optional[PathString],
         network: bool = False,
         devices: bool = False,
+        vartmp: bool = False,
         relaxed: bool = False,
         tools: bool = True,
         scripts: Optional[Path] = None,
@@ -1729,6 +1730,7 @@ class Config:
         return sandbox_cmd(
             network=network,
             devices=devices,
+            vartmp=vartmp,
             relaxed=relaxed,
             scripts=scripts,
             tools=self.tools() if tools else Path("/"),

diff --git a/mkosi/context.py b/mkosi/context.py
index cfb399cba060d6f6e7b9955f39cf2bc2130e0296..cf4d20322867a92594103cf3829eabbace3fb13e 100644 (file)
--- a/mkosi/context.py
+++ b/mkosi/context.py
@@ -78,6 +78,7 @@ class Context:
         binary: Optional[PathString],
         network: bool = False,
         devices: bool = False,
+        vartmp: bool = False,
         scripts: Optional[Path] = None,
         mounts: Sequence[Mount] = (),
         options: Sequence[PathString] = (),
@@ -95,6 +96,7 @@ class Context:
             binary=binary,
             network=network,
             devices=devices,
+            vartmp=vartmp,
             scripts=scripts,
             mounts=[
                 # This mount is writable so bubblewrap can create extra directories or symlinks inside of it as needed.

diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index fdf8a63d705aeb5d4b63fe7b35d01f2b109bec95..da256d44c7a55e9bd3d0db766a366d525a89e710 100644 (file)
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -217,6 +217,7 @@ class Apt(PackageManager):
                     context.sandbox(
                         binary="apt-get",
                         network=True,
+                        vartmp=True,
                         mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources, *mounts],
                         options=["--dir", "/work/src", "--chdir", "/work/src"],
                         extra=apivfs_cmd() if apivfs else []

diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py
index 95b7a1732eab7b2f076ff9c1aa685935149011e1..93bc0829f2c53f7496e218b4bdf0423cf5c9c5c8 100644 (file)
--- a/mkosi/installer/dnf.py
+++ b/mkosi/installer/dnf.py
@@ -198,6 +198,7 @@ class Dnf(PackageManager):
                         context.sandbox(
                             binary=cls.executable(context.config),
                             network=True,
+                            vartmp=True,
                             mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources],
                             options=["--dir", "/work/src", "--chdir", "/work/src"],
                             extra=apivfs_cmd() if apivfs else [],

diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index e3f2faa948143d4d0ace6a6b6a24f6fae834f8ed..8defdc088c076cad196a850cab8bc280109a04c4 100644 (file)
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -169,6 +169,7 @@ class Pacman(PackageManager):
                     context.sandbox(
                         binary="pacman",
                         network=True,
+                        vartmp=True,
                         mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources],
                         options=["--dir", "/work/src", "--chdir", "/work/src"],
                         extra=apivfs_cmd() if apivfs else [],

diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py
index 2f5e6e64da091fc2901b297338c6992a89658917..b8022beb3e6c9ba5f2dfd0b9409bbcd653ba19e9 100644 (file)
--- a/mkosi/installer/zypper.py
+++ b/mkosi/installer/zypper.py
@@ -134,6 +134,7 @@ class Zypper(PackageManager):
                     context.sandbox(
                         binary="zypper",
                         network=True,
+                        vartmp=True,
                         mounts=[Mount(context.root, "/buildroot"), *cls.mounts(context), *sources],
                         options=["--dir", "/work/src", "--chdir", "/work/src"],
                         extra=apivfs_cmd() if apivfs else [],

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index 333ead55cd9a004a1a5c298282ffa66f78a96289..964b49e5b3c35f2c9abce6a271178b08d8350162 100644 (file)
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -974,6 +974,7 @@ def run_qemu(args: Args, config: Config) -> None:
                 ],
                 sandbox=config.sandbox(
                     binary="systemd-repart",
+                    vartmp=True,
                     mounts=[Mount(fname.parent, fname.parent), Mount(src, src, ro=True)],
                 ),
             )

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 5d48be143a484a36472adde2654cbeb834a92e14..4e81c55f71bc32c0529257999d60f2fbff8ae5e0 100644 (file)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -47,6 +47,7 @@ class SandboxProtocol(Protocol):
         self,
         *,
         binary: Optional[PathString],
+        vartmp: bool = False,
         mounts: Sequence[Mount] = (),
         extra: Sequence[PathString] = (),
     ) -> AbstractContextManager[list[PathString]]: ...
@@ -55,6 +56,7 @@ class SandboxProtocol(Protocol):
 def nosandbox(
     *,
     binary: Optional[PathString],
+    vartmp: bool = False,
     mounts: Sequence[Mount] = (),
     extra: Sequence[PathString] = (),
 ) -> AbstractContextManager[list[PathString]]:
@@ -117,6 +119,7 @@ def sandbox_cmd(
     *,
     network: bool = False,
     devices: bool = False,
+    vartmp: bool = False,
     scripts: Optional[Path] = None,
     tools: Path = Path("/"),
     relaxed: bool = False,
@@ -128,7 +131,7 @@ def sandbox_cmd(
     cmdline: list[PathString] = []
     mounts = list(mounts)
 
-    if not relaxed:
+    if vartmp and not relaxed:
         # We want to use an empty subdirectory in the host's temporary directory as the sandbox's /var/tmp.
         vartmpdir = Path(os.getenv("TMPDIR", "/var/tmp")) / f"mkosi-var-tmp-{uuid.uuid4().hex[:16]}"
     else:
@@ -153,7 +156,7 @@ def sandbox_cmd(
     if relaxed:
         mounts += [Mount("/tmp", "/tmp")]
     else:
-        cmdline += ["--dir", "/tmp", "--unshare-ipc"]
+        cmdline += ["--dir", "/tmp", "--dir", "/var/tmp", "--unshare-ipc"]
 
     if (tools / "nix/store").exists():
         mounts += [Mount(tools / "nix/store", "/nix/store")]