From: Daan De Meyer Date: Thu, 16 Oct 2025 09:39:39 +0000 (+0200) Subject: Treat /opt the same as /usr for the sandbox X-Git-Tag: v26~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4efdbf14e4f468be8b970b1aed0a67e2df4acdf;p=thirdparty%2Fmkosi.git Treat /opt the same as /usr for the sandbox In rare cases, distributions install stuff to /opt as well so let's make sure we pick up /opt from the tools tree in the same way as we pick up /usr. --- diff --git a/mkosi/run.py b/mkosi/run.py index 2e7bc7446..30d710356 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -489,14 +489,18 @@ def sandbox_cmd( *network_options(network=network), ] # fmt: skip - if overlay and (overlay / "usr").exists(): - cmdline += [ - "--overlay-lowerdir", tools / "usr", - "--overlay-lowerdir", overlay / "usr", - "--overlay", "/usr", - ] # fmt: skip - else: - cmdline += ["--ro-bind", tools / "usr", "/usr"] + for d in ("usr", "opt"): + if not (tools / d).exists(): + continue + + if overlay and (overlay / d).exists(): + cmdline += [ + "--overlay-lowerdir", tools / d, + "--overlay-lowerdir", overlay / d, + "--overlay", Path("/") / d, + ] # fmt: skip + else: + cmdline += ["--ro-bind", tools / d, Path("/") / d] for d in ("bin", "sbin", "lib", "lib32", "lib64"): if (p := tools / d).is_symlink(): @@ -512,6 +516,7 @@ def sandbox_cmd( if p not in ( Path("/proc"), Path("/usr"), + Path("/opt"), Path("/nix"), Path("/bin"), Path("/sbin"), @@ -584,11 +589,10 @@ def sandbox_cmd( ] # fmt: skip return - for d in ("etc", "opt"): - if overlay and (overlay / d).exists(): - cmdline += ["--ro-bind", overlay / d, Path("/") / d] - else: - cmdline += ["--dir", Path("/") / d] + if overlay and (overlay / "etc").exists(): + cmdline += ["--ro-bind", overlay / "etc", "/etc"] + else: + cmdline += ["--dir", "/etc"] for d in ("srv", "media", "mnt", "var", "run", "tmp"): tmp = None