From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 21 Feb 2024 17:49:11 +0000 (+0100)
Subject: Sandbox permission fixes
X-Git-Tag: v21~35^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=684190b5a41a199048cfcc964282f3356fecad1d;p=thirdparty%2Fmkosi.git

Sandbox permission fixes
---

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 62f7fb288..053a928c5 100644
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -177,9 +177,13 @@ def sandbox_cmd(
 
     # bubblewrap creates everything with a restricted mode so relax stuff as needed.
     ops = []
-    if not devices:
+    if not devices and not relaxed:
         ops += ["chmod 1777 /dev/shm"]
-    if not relaxed:
+    if relaxed and INVOKING_USER.home().exists() and len(INVOKING_USER.home().parents) > 1:
+        # We might mount a subdirectory of /home so /home will be created with the wrong permissions by bubblewrap so
+        # we need to fix up the permissions.
+        ops += [f"chmod 755 {list(INVOKING_USER.home().parents)[-1]}"]
+    else:
         ops += ["chmod 755 /etc"]
     ops += ["exec $0 \"$@\""]