From: Daan De Meyer Date: Fri, 6 Sep 2024 11:42:43 +0000 (+0200) Subject: Always add /var/tmp to the sandbox X-Git-Tag: v25~309^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29846ab84b82d48b4f79bbdd2151063ce67c650f;p=thirdparty%2Fmkosi.git Always add /var/tmp to the sandbox Now that we don't have to worry anymore about various operations conflicting with other sandbox mounts, let's always add /var/tmp to the sandbox again (we originally stopped doing this to make sure rmtree() could remove directories in /var/tmp). --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 214fa04f4..5bc544822 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -499,7 +499,6 @@ def run_configure_scripts(config: Config) -> Config: env=env | config.environment, sandbox=config.sandbox( binary=None, - vartmp=True, options=[ "--dir", "/work/src", "--chdir", "/work/src", @@ -573,7 +572,6 @@ def run_sync_scripts(config: Config) -> None: sandbox=config.sandbox( binary=None, network=True, - vartmp=True, options=options, sandbox_tree=Path(sandbox_tree), ), @@ -613,7 +611,6 @@ def script_maybe_chroot_sandbox( with context.sandbox( binary=None, network=network, - vartmp=True, options=[ *options, "--bind", context.root, "/buildroot", @@ -948,7 +945,6 @@ def run_postoutput_scripts(context: Context) -> None: env=env | context.config.environment, sandbox=context.sandbox( binary=None, - vartmp=True, # postoutput scripts should run as (fake) root so that file ownership is always recorded as if # owned by root. options=[ @@ -2703,7 +2699,6 @@ def make_image( not context.config.repart_offline or context.config.verity_key_source.type != KeySourceType.file ), - vartmp=True, options=options, ), ).stdout @@ -2986,7 +2981,6 @@ def make_extension_image(context: Context, output: Path) -> None: not context.config.repart_offline or context.config.verity_key_source.type != KeySourceType.file ), - vartmp=True, options=options, ), ).stdout @@ -3103,10 +3097,9 @@ def copy_repository_metadata(config: Config, dst: Path) -> None: def sandbox( *, binary: Optional[PathString], - vartmp: bool = False, options: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: - return config.sandbox(binary=binary, vartmp=vartmp, options=[*options, *exclude]) + return config.sandbox(binary=binary, options=[*options, *exclude]) copy_tree(src, subdst, preserve=False, sandbox=sandbox) @@ -3360,7 +3353,6 @@ def run_shell(args: Args, config: Config) -> None: binary="systemd-repart", network=True, devices=True, - vartmp=True, options=["--bind", fname, fname], ), ) @@ -3703,7 +3695,6 @@ def run_clean_scripts(config: Config) -> None: env=env | config.environment, sandbox=config.sandbox( binary=None, - vartmp=True, tools=False, options=[ "--dir", "/work/src", diff --git a/mkosi/config.py b/mkosi/config.py index e25eecab2..07022bce2 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -1770,7 +1770,6 @@ class Config: binary: Optional[PathString], network: bool = False, devices: bool = False, - vartmp: bool = False, relaxed: bool = False, tools: bool = True, scripts: Optional[Path] = None, @@ -1805,7 +1804,6 @@ class Config: return sandbox_cmd( network=network, devices=devices, - vartmp=vartmp, relaxed=relaxed, scripts=scripts, tools=self.tools() if tools else Path("/"), diff --git a/mkosi/context.py b/mkosi/context.py index 5f2ae1222..914228ae1 100644 --- a/mkosi/context.py +++ b/mkosi/context.py @@ -66,7 +66,6 @@ class Context: binary: Optional[PathString], network: bool = False, devices: bool = False, - vartmp: bool = False, scripts: Optional[Path] = None, options: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: @@ -74,7 +73,6 @@ class Context: binary=binary, network=network, devices=devices, - vartmp=vartmp, scripts=scripts, sandbox_tree=self.sandbox_tree, options=options, diff --git a/mkosi/installer/__init__.py b/mkosi/installer/__init__.py index 8a5468f5c..fca89e20a 100644 --- a/mkosi/installer/__init__.py +++ b/mkosi/installer/__init__.py @@ -129,7 +129,6 @@ class PackageManager: return context.sandbox( binary=cls.executable(context.config), network=True, - vartmp=True, options=[ "--bind", context.root, "/buildroot", *cls.mounts(context), diff --git a/mkosi/qemu.py b/mkosi/qemu.py index ba66c7ed7..a6d84d931 100644 --- a/mkosi/qemu.py +++ b/mkosi/qemu.py @@ -1014,7 +1014,6 @@ def run_qemu(args: Args, config: Config) -> None: ], sandbox=config.sandbox( binary="systemd-repart", - vartmp=True, options=[ "--bind", fname.parent, workdir(fname.parent), "--ro-bind", src, workdir(src), diff --git a/mkosi/run.py b/mkosi/run.py index b7a12f833..8c46e93b0 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -387,7 +387,6 @@ class SandboxProtocol(Protocol): self, *, binary: Optional[PathString], - vartmp: bool = False, options: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: ... @@ -395,7 +394,6 @@ class SandboxProtocol(Protocol): def nosandbox( *, binary: Optional[PathString], - vartmp: bool = False, options: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: return contextlib.nullcontext([]) @@ -446,7 +444,6 @@ def sandbox_cmd( *, network: bool = False, devices: bool = False, - vartmp: bool = False, scripts: Optional[Path] = None, tools: Path = Path("/"), relaxed: bool = False, @@ -535,7 +532,7 @@ def sandbox_cmd( if scripts: cmdline += ["--ro-bind", scripts, "/scripts"] - with vartmpdir(condition=vartmp and not relaxed) as dir: + with vartmpdir(condition=not relaxed) as dir: if dir: cmdline += ["--bind", dir, "/var/tmp"]