From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 2 Nov 2024 15:35:44 +0000 (+0100)
Subject: Don't mount sandbox.py to /sandbox.py in relaxed sandbox
X-Git-Tag: v25~188^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=149f6730d231ea55ad4670f4cebe567621257377;p=thirdparty%2Fmkosi.git

Don't mount sandbox.py to /sandbox.py in relaxed sandbox

In a relaxed sandbox we'll never execute apivfs_script_cmd() or
chroot_script_cmd() so there's no need to mount sandbox.py in.
---

diff --git a/mkosi/run.py b/mkosi/run.py
index 5be80a453..7dbeba096 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -491,10 +491,6 @@ def sandbox_cmd(
         # used instead.
         "--unsetenv", "TMPDIR",
         *network_options(network=network),
-        # apivfs_script_cmd() and chroot_script_cmd() are executed from within the sandbox, but they still
-        # use sandbox.py, so we make sure it is available inside the sandbox so it can be executed there as
-        # well.
-        "--ro-bind", Path(mkosi.sandbox.__file__), "/sandbox.py",
     ]  # fmt: skip
 
     if overlay and (overlay / "usr").exists():
@@ -548,6 +544,10 @@ def sandbox_cmd(
             "--dir", "/var/tmp",
             "--dir", "/var/log",
             "--unshare-ipc",
+            # apivfs_script_cmd() and chroot_script_cmd() are executed from within the sandbox, but they
+            # still use sandbox.py, so we make sure it is available inside the sandbox so it can be executed
+            # there as well.
+            "--ro-bind", Path(mkosi.sandbox.__file__), "/sandbox.py",
         ]  # fmt: skip
 
         if devices: