From: Daan De Meyer Date: Wed, 25 Jun 2025 12:04:14 +0000 (+0200) Subject: Make sure various host files are added to every relaxed sandbox X-Git-Tag: v26~193^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6caa2b7006738b72f8334c63cb1a00610d7844ab;p=thirdparty%2Fmkosi.git Make sure various host files are added to every relaxed sandbox Let's not just make these available to mkosi sandbox, but to every other relaxed sandbox we set up as well. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 2088602c9..0ec8a85cb 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -4127,13 +4127,6 @@ def run_sandbox(args: Args, config: Config) -> None: die("Please specify a command to execute in the sandbox") mounts = finalize_certificate_mounts(config, relaxed=True) - if config.tools() != Path("/"): - for f in ("passwd", "group", "shadow", "gshadow"): - if Path(f"/etc/{f}").exists() and (config.tools() / "etc" / f).exists(): - mounts += ["--ro-bind", f"/etc/{f}", f"/etc/{f}"] - - if Path("/etc/nsswitch.conf").exists() and (config.tools() / "etc/nsswitch.conf").exists(): - mounts += ["--ro-bind", "/etc/nsswitch.conf", "/etc/nsswitch.conf"] # Since we reuse almost every top level directory from the host except /usr and /etc, the crypto # mountpoints have to exist already in these directories or we'll fail with a permission error. Let's diff --git a/mkosi/run.py b/mkosi/run.py index cd1a25ae2..17c0f8780 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -525,6 +525,11 @@ def sandbox_cmd( cmdline += ["--bind", p, p] cmdline += ["--ro-bind", tools / "etc", "/etc"] + + if tools != Path("/"): + for f in ("passwd", "group", "shadow", "gshadow", "nsswitch.conf"): + if Path(f"/etc/{f}").exists() and (tools / "etc" / f).exists(): + cmdline += ["--ro-bind", f"/etc/{f}", f"/etc/{f}"] else: cmdline += [ "--dir", "/var/tmp",