From: Daan De Meyer Date: Mon, 8 Jan 2024 14:21:01 +0000 (+0100) Subject: Put tmpfs on /tmp in sandbox when not in relaxed mode X-Git-Tag: v20~6^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=012b8bd10f576261d76b077a817534a0b5aa41bb;p=thirdparty%2Fmkosi.git Put tmpfs on /tmp in sandbox when not in relaxed mode Let's sandbox more by not using the host's /tmp but instead putting a fresh tmpfs on /tmp. We used the host's /tmp before because the definitions could potentially be in the host's /tmp but now that we mount everything in explicitly that isn't a problem anymore. --- diff --git a/mkosi/qemu.py b/mkosi/qemu.py index fbf403b67..40d8b56cb 100644 --- a/mkosi/qemu.py +++ b/mkosi/qemu.py @@ -286,7 +286,11 @@ def start_swtpm(config: Config) -> Iterator[Path]: cmdline += ["--ctrl", f"type=unixio,fd={sock.fileno()}"] - with spawn(cmdline, pass_fds=(sock.fileno(),), sandbox=config.sandbox()) as proc: + with spawn( + cmdline, + pass_fds=(sock.fileno(),), + sandbox=config.sandbox(options=["--bind", state, state]), + ) as proc: try: yield path finally: diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py index 002a0a841..2678921e8 100644 --- a/mkosi/sandbox.py +++ b/mkosi/sandbox.py @@ -81,13 +81,17 @@ def sandbox_cmd( cmdline: list[PathString] = [ "bwrap", "--ro-bind", tools / "usr", "/usr", - "--bind", "/tmp", "/tmp", *(["--unshare-net"] if not network and have_effective_cap(Capability.CAP_NET_ADMIN) else []), "--die-with-parent", "--proc", "/proc", "--setenv", "SYSTEMD_OFFLINE", one_zero(network), ] + if relaxed: + cmdline += ["--bind", "/tmp", "/tmp"] + else: + cmdline += ["--tmpfs", "/tmp"] + if (tools / "nix/store").exists(): cmdline += ["--bind", tools / "nix/store", "/nix/store"]