From: Daan De Meyer Date: Thu, 22 Feb 2024 07:47:52 +0000 (+0100) Subject: Only mount ephemeral build sources for package managers when running as root X-Git-Tag: v21~35^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ffc9a7f5a2c862f619e29c295729fbf4393bd03;p=thirdparty%2Fmkosi.git Only mount ephemeral build sources for package managers when running as root If we're not running as root, we won't have permissions to do the overlay mount. Hopefully bubblewrap will eventually get overlayfs support which would make this possible. --- diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py index 0234cdd8a..3e9ab6caf 100644 --- a/mkosi/installer/apt.py +++ b/mkosi/installer/apt.py @@ -1,4 +1,5 @@ # SPDX-License-Identifier: LGPL-2.1+ +import os import textwrap from collections.abc import Iterable, Sequence from pathlib import Path @@ -174,7 +175,10 @@ class Apt(PackageManager): mounts: Sequence[PathString] = (), stdout: _FILE = None, ) -> CompletedProcess: - with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources: + with finalize_source_mounts( + context.config, + ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral, + ) as sources: return run( cls.cmd(context, "apt-get") + [operation, *arguments], sandbox=( diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py index ca831c4a6..3a7450990 100644 --- a/mkosi/installer/dnf.py +++ b/mkosi/installer/dnf.py @@ -1,4 +1,5 @@ # SPDX-License-Identifier: LGPL-2.1+ +import os import textwrap from collections.abc import Iterable, Sequence from pathlib import Path @@ -160,7 +161,10 @@ class Dnf(PackageManager): stdout: _FILE = None, ) -> CompletedProcess: try: - with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources: + with finalize_source_mounts( + context.config, + ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral, + ) as sources: return run( cls.cmd(context) + [operation,*arguments], sandbox=( diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py index 2ecb98837..de240f531 100644 --- a/mkosi/installer/pacman.py +++ b/mkosi/installer/pacman.py @@ -1,4 +1,5 @@ # SPDX-License-Identifier: LGPL-2.1+ +import os import shutil import textwrap from collections.abc import Iterable, Sequence @@ -150,7 +151,10 @@ class Pacman(PackageManager): apivfs: bool = False, stdout: _FILE = None, ) -> CompletedProcess: - with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources: + with finalize_source_mounts( + context.config, + ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral, + ) as sources: return run( cls.cmd(context) + [operation, *arguments], sandbox=( diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py index 6e09c9b68..148aba563 100644 --- a/mkosi/installer/zypper.py +++ b/mkosi/installer/zypper.py @@ -1,5 +1,6 @@ # SPDX-License-Identifier: LGPL-2.1+ import hashlib +import os import textwrap from collections.abc import Iterable, Sequence from pathlib import Path @@ -120,7 +121,10 @@ class Zypper(PackageManager): apivfs: bool = False, stdout: _FILE = None, ) -> CompletedProcess: - with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources: + with finalize_source_mounts( + context.config, + ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral, + ) as sources: return run( cls.cmd(context) + [operation, *arguments], sandbox=(