From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 11 Mar 2024 11:18:01 +0000 (+0100)
Subject: Always run as root in Context sandbox
X-Git-Tag: v22~19^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c86d7066162bcd403e320d623c34f21aaa5ed8a2;p=thirdparty%2Fmkosi.git

Always run as root in Context sandbox

If there's files in /usr in the package manager tree, we need to
be running as root to mount an overlayfs on top of /usr so make
sure we are always root in the Context sandbox.
---

diff --git a/mkosi/context.py b/mkosi/context.py
index e1d146e24..c0b85e485 100644
--- a/mkosi/context.py
+++ b/mkosi/context.py
@@ -80,6 +80,9 @@ class Context:
             devices=devices,
             scripts=scripts,
             options=[
+                "--uid", "0",
+                "--gid", "0",
+                "--cap-add", "ALL",
                 # These mounts are writable so bubblewrap can create extra directories or symlinks inside of it as
                 # needed. This isn't a problem as the package manager directory is created by mkosi and thrown away
                 # when the build finishes.
diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index 45969da59..b1b6282c3 100644
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -165,9 +165,6 @@ class Pacman(PackageManager):
                             *cls.mounts(context),
                             *sources,
                             "--chdir", "/work/src",
-                            # pacman will fail unless invoked as root so make sure we're uid/gid 0 in the sandbox.
-                            "--uid", "0",
-                            "--gid", "0",
                         ],
                     ) + (apivfs_cmd(context.root) if apivfs else [])
                 ),