From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 4 Jul 2023 08:51:22 +0000 (+0200)
Subject: Protect common system directories when running with bubblewrap
X-Git-Tag: v15~89
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=411cd49bbf5a34b2b5a0b3a69b8e149ce50fa7b5;p=thirdparty%2Fmkosi.git

Protect common system directories when running with bubblewrap

Let's make sure that even when we run as root the tools we run
can't brick the system by making core system directories read-only
bind mounts when running tools with bubblewrap.

As an example of the stuff this protects again, let's say a package
installs an absolute symlink to /usr and in the finalize script a
user tries to remove everything under this symlink, they'll end up
erasing /usr from their host system. By making /usr read-only, we
prevent this from happening.
---

diff --git a/mkosi/run.py b/mkosi/run.py
index 6a6548e8c..5b16503be 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -306,10 +306,12 @@ def bwrap_cmd(
         "--dev-bind", "/", "/",
         "--chdir", Path.cwd(),
         "--die-with-parent",
+        "--ro-bind", (root or Path("/")) / "usr", "/usr",
     ]
 
-    if root:
-        cmdline += ["--bind", root / "usr", "/usr"]
+    for d in ("/etc", "/opt", "/srv", "/boot", "/efi"):
+        if Path(d).exists():
+            cmdline += ["--ro-bind", d, d]
 
     if apivfs:
         if not (apivfs / "etc/machine-id").exists():