From: Daan De Meyer Date: Sun, 21 Jul 2024 20:07:32 +0000 (+0200) Subject: Force user namespace in bubblewrap if we're not running as root X-Git-Tag: v24~22^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01ac080103f2bc61ecc23334b00334e421eebb8a;p=thirdparty%2Fmkosi.git Force user namespace in bubblewrap if we're not running as root Depending on whether bwrap is installed setuid or not it might try to not create a user namespace. Let's explicitly tell it to create one if we're not invoking it as root to make sure one is always created. --- diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py index 459199fb4..49e8ca9f3 100644 --- a/mkosi/sandbox.py +++ b/mkosi/sandbox.py @@ -153,6 +153,11 @@ def sandbox_cmd( # We mounted a subdirectory of TMPDIR to /var/tmp so we unset TMPDIR so that /tmp or /var/tmp are used instead. "--unsetenv", "TMPDIR", ] + + # Make sure that bubblewrap uses a user namespace even if it's installed as setuid. + if os.getuid() != 0: + cmdline += ["--unshare-user"] + mounts += [Mount(tools / "usr", "/usr", ro=True)] if relaxed: