From: Daan De Meyer Date: Mon, 24 Apr 2023 13:11:11 +0000 (+0200) Subject: Revert back to shell based chmod solution for bwrap X-Git-Tag: v15~204^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf98cc6d6fd812575292ca2c92bfe3c4f200ba68;p=thirdparty%2Fmkosi.git Revert back to shell based chmod solution for bwrap Mounting the host directories doesn't work because those directories are owned by root on the host which translates to nobody in the user namespace, breaking systemd tmpfiles tests. --- diff --git a/mkosi/run.py b/mkosi/run.py index 80328fff5..9522801df 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -288,12 +288,10 @@ def bwrap( if apivfs: cmdline += [ "--tmpfs", apivfs / "run", + "--tmpfs", apivfs / "tmp", "--proc", apivfs / "proc", "--dev", apivfs / "dev", "--ro-bind", "/sys", apivfs / "sys", - "--bind", "/tmp", apivfs / "tmp", - "--bind", "/var/tmp", apivfs / "var/tmp", - "--bind", "/dev/shm", apivfs / "dev/shm", ] # If passwd or a related file exists in the apivfs directory, bind mount it over the host files while @@ -307,12 +305,25 @@ def bwrap( else: cmdline += ["--bind", "/dev/null", f"/etc/{f}"] - try: - return run([*cmdline, *cmd], text=True, stdout=stdout, env=env, log=False) - except subprocess.CalledProcessError as e: - if ARG_DEBUG_SHELL.get(): - run([*cmdline, "sh"], stdin=sys.stdin, check=False, env=env, log=False) - die(f'"{shlex.join(str(s) for s in cmd)}" returned non-zero exit code {e.returncode}.') + if apivfs: + chmod = f"chmod 1777 {apivfs / 'tmp'} {apivfs / 'var/tmp'} {apivfs / 'dev/shm'}" + else: + chmod = ":" + + with tempfile.TemporaryDirectory(dir="/var/tmp", prefix="mkosi-var-tmp") as var_tmp: + if apivfs: + cmdline += ["--bind", var_tmp, apivfs / "var/tmp"] + + cmdline += ["sh", "-c"] + template = f"{chmod} && exec {{}} || exit $?" + + try: + return run([*cmdline, template.format(shlex.join(str(s) for s in cmd))], + text=True, stdout=stdout, env=env, log=False) + except subprocess.CalledProcessError as e: + if ARG_DEBUG_SHELL.get(): + run([*cmdline, template.format("sh")], stdin=sys.stdin, check=False, env=env, log=False) + die(f'"{shlex.join(str(s) for s in cmd)}" returned non-zero exit code {e.returncode}.') def run_workspace_command( @@ -330,12 +341,10 @@ def run_workspace_command( "--unshare-cgroup", "--bind", root, "/", "--tmpfs", "/run", + "--tmpfs", "/tmp", "--dev", "/dev", "--proc", "/proc", "--ro-bind", "/sys", "/sys", - "--bind", "/tmp", "/tmp", - "--bind", "/var/tmp", "/var/tmp", - "--bind", "/dev/shm", "/dev/shm", "--die-with-parent", *bwrap_params, ] @@ -362,13 +371,20 @@ def run_workspace_command( PATH="/usr/bin:/usr/sbin", ) | env - try: - return run([*cmdline, *cmd], text=True, stdout=stdout, env=env, log=False) - except subprocess.CalledProcessError as e: - if ARG_DEBUG_SHELL.get(): - run([*cmdline, "sh"], stdin=sys.stdin, check=False, env=env, log=False) - die(f'"{shlex.join(str(s) for s in cmd)}" returned non-zero exit code {e.returncode}.') - finally: - if tmp.is_symlink(): - resolve.unlink(missing_ok=True) - shutil.move(tmp, resolve) + with tempfile.TemporaryDirectory(dir="/var/tmp", prefix="mkosi-var-tmp") as var_tmp: + cmdline += ["--bind", var_tmp, "/var/tmp"] + + cmdline += ["sh", "-c"] + template = "chmod 1777 /tmp /var/tmp /dev/shm && exec {} || exit $?" + + try: + return run([*cmdline, template.format(shlex.join(str(s) for s in cmd))], + text=True, stdout=stdout, env=env, log=False) + except subprocess.CalledProcessError as e: + if ARG_DEBUG_SHELL.get(): + run([*cmdline, template.format("sh")], stdin=sys.stdin, check=False, env=env, log=False) + die(f'"{shlex.join(str(s) for s in cmd)}" returned non-zero exit code {e.returncode}.') + finally: + if tmp.is_symlink(): + resolve.unlink(missing_ok=True) + shutil.move(tmp, resolve)