From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 6 Sep 2024 08:43:37 +0000 (+0200)
Subject: Move relaxed checks in sandbox_cmd() into one condition
X-Git-Tag: v25~309^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d1e3d7d5d9faefc858e90444a98873cede86958;p=thirdparty%2Fmkosi.git

Move relaxed checks in sandbox_cmd() into one condition

We also fix a minor bug where we mounted /run into the sandbox when
devices=True when this isn't actually required.
---

diff --git a/mkosi/run.py b/mkosi/run.py
index 6bcc2a8a5..5c85ecbd8 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -488,21 +488,7 @@ def sandbox_cmd(
         cmdline += ["--bind", tools / "nix/store", "/nix/store"]
 
     if relaxed:
-        cmdline += ["--bind", "/tmp", "/tmp"]
-    else:
-        cmdline += ["--dir", "/tmp", "--dir", "/var/tmp", "--unshare-ipc"]
-
-    if devices or relaxed:
-        cmdline += [
-            "--bind", "/sys", "/sys",
-            "--bind", "/run", "/run",
-            "--bind", "/dev", "/dev",
-        ]
-    else:
-        cmdline += ["--dev", "/dev"]
-
-    if relaxed:
-        dirs = ("/etc", "/opt", "/srv", "/media", "/mnt", "/var")
+        dirs = ("/etc", "/opt", "/srv", "/media", "/mnt", "/var", "/tmp", "/sys", "/run", "/dev")
 
         for d in dirs:
             if Path(d).exists():
@@ -525,6 +511,16 @@ def sandbox_cmd(
 
         if d and not any(Path(d).is_relative_to(dir) for dir in (*dirs, "/usr", "/nix", "/tmp")):
             cmdline += ["--bind", d, d]
+    else:
+        cmdline += ["--dir", "/tmp", "--dir", "/var/tmp", "--unshare-ipc"]
+
+        if devices:
+            cmdline += ["--bind", "/sys", "/sys", "--bind", "/dev", "/dev"]
+        else:
+            cmdline += ["--dev", "/dev"]
+
+        if network and Path("/etc/resolv.conf").exists():
+            cmdline += ["--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf"]
 
     path = "/usr/bin:/usr/sbin" if tools != Path("/") else os.environ["PATH"]
 
@@ -533,9 +529,6 @@ def sandbox_cmd(
     if scripts:
         cmdline += ["--ro-bind", scripts, "/scripts"]
 
-    if network and not relaxed and Path("/etc/resolv.conf").exists():
-        cmdline += ["--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf"]
-
     with vartmpdir(condition=vartmp and not relaxed) as dir:
         if dir:
             cmdline += ["--bind", dir, "/var/tmp"]