From: Maximilian Bosch Date: Sun, 2 Nov 2025 14:14:09 +0000 (+0100) Subject: mkosi/run: inherit store paths from nix-shell into sandbox X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a88a428d227c57d19798fff7dd07625a3caa5d91;p=thirdparty%2Fmkosi.git mkosi/run: inherit store paths from nix-shell into sandbox On NixOS most interesting stuff is either in store-paths from $PATH (e.g. when working in a nix-shell). Add these PATH entries to the new $PATH and ensure everything interesting is in the sandbox. --- diff --git a/mkosi/run.py b/mkosi/run.py index 9a77d93a1..c2d6182a9 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -364,7 +364,11 @@ def finalize_path( # Make sure that /usr/bin and /usr/sbin are always in $PATH. path += [s for s in ("/usr/bin", "/usr/sbin") if s not in path] else: - path += ["/usr/bin", "/usr/sbin"] + path += [ + "/usr/bin", + "/usr/sbin", + *(el for el in os.environ.get("PATH", "").split(":") if el.startswith("/nix/store")), + ] if prefix_usr: path = [os.fspath(root / s.lstrip("/")) if s in ("/usr/bin", "/usr/sbin") else s for s in path] @@ -567,15 +571,19 @@ def sandbox_cmd( else: cmdline += ["--ro-bind", tools / d, Path("/") / d] - for d in ("bin", "sbin", "lib", "lib32", "lib64"): + for d in ( + "bin", + "sbin", + "lib", + "lib32", + "lib64", + "nix/store", + ): if (p := tools / d).is_symlink(): cmdline += ["--symlink", p.readlink(), Path("/") / p.relative_to(tools)] elif p.is_dir(): cmdline += ["--ro-bind", p, Path("/") / p.relative_to(tools)] - if (tools / "nix/store").exists(): - cmdline += ["--bind", tools / "nix/store", "/nix/store"] - if relaxed: for p in Path("/").iterdir(): if p not in (