From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 7 Aug 2023 18:03:44 +0000 (+0200)
Subject: Make sure options are always applied last in bwrap() and chroot_cmd()
X-Git-Tag: v15~20^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=402fca4c20085f64a3c8d1964fd111d3d261291b;p=thirdparty%2Fmkosi.git

Make sure options are always applied last in bwrap() and chroot_cmd()

That way, if the options remount anything read-only, we can be sure
it doesn't affect any of the operations set up in bwrap() and chroot_cmd()
themselves.
---

diff --git a/mkosi/run.py b/mkosi/run.py
index 5cce0dab0..0fdab9a52 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -279,7 +279,6 @@ def bwrap(
         "--ro-bind", "/sys", "/sys",
         "--tmpfs", "/tmp",
         "--setenv", "SYSTEMD_OFFLINE", one_zero(network),
-        *options,
     ]
 
     with tempfile.TemporaryDirectory(prefix="mkosi-scripts") as d:
@@ -300,8 +299,11 @@ def bwrap(
 
             make_executable(Path(d) / name)
 
-        cmdline += ["--setenv", "PATH", f"{d}:{os.environ['PATH']}"]
-        cmdline += ["sh", "-c", "chmod 1777 /tmp /dev/shm && exec $0 \"$@\""]
+        cmdline += [
+            "--setenv", "PATH", f"{d}:{os.environ['PATH']}",
+            *options,
+            "sh", "-c", "chmod 1777 /tmp /dev/shm && exec $0 \"$@\"",
+        ]
 
         try:
             result = run([*cmdline, *cmd], env=env, log=False, stdin=stdin, input=input)
@@ -369,7 +371,6 @@ def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathSt
         "--setenv", "container", "mkosi",
         "--setenv", "HOME", "/",
         "--setenv", "PATH", "/usr/bin:/usr/sbin",
-        *options,
     ]
 
     resolve = Path("etc/resolv.conf")
@@ -381,10 +382,12 @@ def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathSt
         # create all missing components in the target path.
         resolve = resolve.parent / (root / resolve).readlink()
 
-    cmdline += ["--ro-bind", "/etc/resolv.conf", Path("/") / resolve]
-
-    # No exec here because we need to clean up the /work directory afterwards.
-    cmdline += ["sh", "-c", f"$0 \"$@\" && rm -rf {root / 'work'}"]
+    cmdline += [
+        "--ro-bind", "/etc/resolv.conf", Path("/") / resolve,
+        *options,
+        # No exec here because we need to clean up the /work directory afterwards.
+        "sh", "-c", f"$0 \"$@\" && rm -rf {root / 'work'}",
+    ]
 
     return apivfs_cmd(root) + cmdline