From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 18 Jan 2024 08:56:45 +0000 (+0100)
Subject: Don't mount /srv and /mnt read-only
X-Git-Tag: v20.2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c82a4783a0e419785f92e4fbd57537a82d4be7f9;p=thirdparty%2Fmkosi.git

Don't mount /srv and /mnt read-only

It seems there are use cases where users expect to write their output
to a directory in /srv or /mnt so let's make that writable. This should
be safe as we set up a custom sandbox now so none of the tools we run
will have access to /srv and /mnt in the first place.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 96f945605..d2f67195b 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3462,7 +3462,7 @@ def run_build(args: Args, config: Config) -> None:
         run(["mount", "--make-rslave", "/"])
 
     # For extra safety when running as root, remount a bunch of stuff read-only.
-    for d in ("/usr", "/etc", "/opt", "/srv", "/boot", "/efi", "/media", "/mnt"):
+    for d in ("/usr", "/etc", "/opt", "/boot", "/efi", "/media"):
         if Path(d).exists():
             run(["mount", "--rbind", d, d, "--options", "ro"])