From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 8 Jan 2024 13:51:48 +0000 (+0100)
Subject: Only mount package manager specific directories into sandbox
X-Git-Tag: v20~6^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e59a66b39b4bd31f54d0487d58314824fd8662c5;p=thirdparty%2Fmkosi.git

Only mount package manager specific directories into sandbox
---

diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index 496e25675..594bdb6b0 100644
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -107,7 +107,8 @@ def invoke_apt(
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind", context.cache_dir / "lib/apt", context.cache_dir / "lib/apt",
+                    "--bind", context.cache_dir / "cache/apt", context.cache_dir / "cache/apt",
                     "--ro-bind", context.workspace / "apt.conf", context.workspace / "apt.conf",
                     *finalize_crypto_mounts(tools=context.config.tools()),
                     *mounts,
diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py
index eccfb1fcc..c410c7141 100644
--- a/mkosi/installer/dnf.py
+++ b/mkosi/installer/dnf.py
@@ -19,10 +19,18 @@ def dnf_executable(context: Context) -> str:
     return Path(dnf or find_binary("dnf5", root=root) or find_binary("dnf", root=root) or "yum").name
 
 
+def dnf_subdir(context: Context) -> str:
+    dnf = dnf_executable(context)
+    return "libdnf5" if dnf.endswith("dnf5") else "dnf"
+
+
 def setup_dnf(context: Context, repositories: Iterable[RpmRepository], filelists: bool = True) -> None:
     (context.pkgmngr / "etc/dnf/vars").mkdir(exist_ok=True, parents=True)
     (context.pkgmngr / "etc/yum.repos.d").mkdir(exist_ok=True, parents=True)
 
+    (context.cache_dir / "cache" / dnf_subdir(context)).mkdir(exist_ok=True, parents=True)
+    (context.cache_dir / "lib" / dnf_subdir(context)).mkdir(exist_ok=True, parents=True)
+
     config = context.pkgmngr / "etc/dnf/dnf.conf"
 
     if not config.exists():
@@ -78,8 +86,8 @@ def dnf_cmd(context: Context) -> list[PathString]:
         f"--releasever={context.config.release}",
         f"--installroot={context.root}",
         "--setopt=keepcache=1",
-        f"--setopt=cachedir={context.cache_dir / 'cache' / ('libdnf5' if dnf.endswith('dnf5') else 'dnf')}",
-        f"--setopt=persistdir={context.cache_dir / 'lib' / ('libdnf5' if dnf.endswith('dnf5') else 'dnf')}",
+        f"--setopt=cachedir={context.cache_dir / 'cache' / dnf_subdir(context)}",
+        f"--setopt=persistdir={context.cache_dir / 'lib' / dnf_subdir(context)}",
         f"--setopt=install_weak_deps={int(context.config.with_recommends)}",
         "--setopt=check_config_file_age=0",
         "--disable-plugin=*" if dnf.endswith("dnf5") else "--disableplugin=*",
@@ -123,7 +131,12 @@ def invoke_dnf(context: Context, command: str, packages: Iterable[str], apivfs:
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind",
+                    context.cache_dir / "cache" / dnf_subdir(context),
+                    context.cache_dir / "cache" / dnf_subdir(context),
+                    "--bind",
+                    context.cache_dir / "lib" / dnf_subdir(context),
+                    context.cache_dir / "lib" / dnf_subdir(context),
                     *finalize_crypto_mounts(tools=context.config.tools()),
                 ],
             ) + (apivfs_cmd(context.root, tools=context.config.tools()) if apivfs else [])
diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index 5ba5749e6..1c3cfd905 100644
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -96,7 +96,7 @@ def invoke_pacman(
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind", context.cache_dir / "cache/pacman/pkg", context.cache_dir / "cache/pacman/pkg",
                     *finalize_crypto_mounts(tools=context.config.tools()),
                 ],
             ) + (apivfs_cmd(context.root, tools=context.config.tools()) if apivfs else [])
diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py
index 58998135c..c800038f9 100644
--- a/mkosi/installer/zypper.py
+++ b/mkosi/installer/zypper.py
@@ -15,6 +15,8 @@ def setup_zypper(context: Context, repos: Sequence[RpmRepository]) -> None:
     config = context.pkgmngr / "etc/zypp/zypp.conf"
     config.parent.mkdir(exist_ok=True, parents=True)
 
+    (context.cache_dir / "cache/zypp").mkdir(exist_ok=True, parents=True)
+
     # rpm.install.excludedocs can only be configured in zypp.conf so we append
     # to any user provided config file. Let's also bump the refresh delay to
     # the same default as dnf which is 48 hours.
@@ -82,7 +84,7 @@ def invoke_zypper(
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind", context.cache_dir / "cache/zypp", context.cache_dir / "cache/zypp",
                     *finalize_crypto_mounts(tools=context.config.tools()),
                 ],
             ) + (apivfs_cmd(context.root, tools=context.config.tools()) if apivfs else [])