From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 22 Mar 2025 11:23:37 +0000 (+0100)
Subject: Make sync script sandbox more relaxed
X-Git-Tag: v26~305^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ef5e54e9fedbfe3d14540cb816f0700775f9e17;p=thirdparty%2Fmkosi.git

Make sync script sandbox more relaxed

Let's simplify and mount in the entirety of /home, /run and the
invoking user's environment to make stuff just work more often than
not and avoid too many implementation details of specific tools leaking
into mkosi itself.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 4542a00e1..dcafa08e7 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -645,16 +645,12 @@ def run_sync_scripts(config: Config) -> None:
     if config.profiles:
         env["PROFILES"] = " ".join(config.profiles)
 
-    # We make sure to mount everything in to make ssh work since syncing might involve git which
-    # could invoke ssh.
-    if agent := os.getenv("SSH_AUTH_SOCK"):
-        env["SSH_AUTH_SOCK"] = agent
-
     with (
         finalize_source_mounts(config, ephemeral=False) as sources,
         finalize_config_json(config) as json,
         tempfile.TemporaryDirectory(
-            dir=config.workspace_dir_or_default(), prefix="mkosi-metadata-"
+            dir=config.workspace_dir_or_default(),
+            prefix="mkosi-metadata-",
         ) as sandbox_tree,
     ):
         install_sandbox_trees(config, Path(sandbox_tree))
@@ -664,24 +660,21 @@ def run_sync_scripts(config: Config) -> None:
                 *finalize_certificate_mounts(config),
                 "--ro-bind", script, "/work/sync",
                 "--ro-bind", json, "/work/config.json",
+                # We need to make sure SSH keys and such can be accessed when git is used so bind in /home to
+                # make sure that works.
+                "--ro-bind", "/home", "/home",
+                # e.g. the ssh-agent socket and such will be in /run and might be used by git so make sure
+                # those are available as well.
+                "--ro-bind", "/run", "/run",
                 "--dir", "/work/src",
                 "--chdir", "/work/src",
                 *sources,
             ]  # fmt: skip
 
-            if (p := INVOKING_USER.home()).exists() and p != Path("/"):
-                # We use a writable mount here to keep git worktrees working which encode absolute
-                # paths to the parent git repository and might need to modify the git config in the
-                # parent git repository when submodules are in use as well.
-                options += ["--bind", p, p]
-                env["HOME"] = os.fspath(p)
-            if (p := Path(f"/run/user/{os.getuid()}")).exists():
-                options += ["--ro-bind", p, p]
-
             with complete_step(f"Running sync script {script}…"):
                 run(
                     ["/work/sync", "final"],
-                    env=env | config.finalize_environment(),
+                    env=os.environ | env | config.finalize_environment(),
                     stdin=sys.stdin,
                     sandbox=config.sandbox(
                         network=True,