From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 22 Mar 2025 12:07:19 +0000 (+0100)
Subject: run: Bind mount entire /home into relaxed sandbox
X-Git-Tag: v26~305^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e60548428528f9d3c8af81a5b4846d03aebf2166;p=thirdparty%2Fmkosi.git

run: Bind mount entire /home into relaxed sandbox

Let's simplify things and make the entirety of /home available. The
relaxed sandbox is not about security, and permissions already make sure
only the user's own home can be accessed.
---

diff --git a/mkosi/run.py b/mkosi/run.py
index 9d3b42062..deb18f90d 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -20,7 +20,7 @@ from typing import TYPE_CHECKING, Any, Callable, NoReturn, Optional, Protocol
 
 from mkosi.log import ARG_DEBUG, ARG_DEBUG_SANDBOX, ARG_DEBUG_SHELL, die
 from mkosi.sandbox import acquire_privileges, joinpath, umask
-from mkosi.util import _FILE, PathString, current_home_dir, flatten, one_zero, resource_path, unique
+from mkosi.util import _FILE, PathString, flatten, one_zero, resource_path, unique
 
 # These types are only generic during type checking and not at runtime, leading
 # to a TypeError during compilation.
@@ -500,7 +500,6 @@ def sandbox_cmd(
         if relaxed:
             for p in Path("/").iterdir():
                 if p not in (
-                    Path("/home"),
                     Path("/proc"),
                     Path("/usr"),
                     Path("/nix"),
@@ -523,9 +522,6 @@ def sandbox_cmd(
                     and (factory := Path("/usr/share/factory")).exists()
                 ):
                     cmdline += ["--bind", factory, factory]
-
-            if home := current_home_dir():
-                cmdline += ["--bind", home, home]
         else:
             cmdline += [
                 "--dir", "/var/tmp",