From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 17 Jul 2024 10:41:25 +0000 (+0200)
Subject: Only remount various directories if invoked as root
X-Git-Tag: v24~30^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e78c5311977320ab85fec417f0de43e676d0a02a;p=thirdparty%2Fmkosi.git

Only remount various directories if invoked as root

If we weren't invoked as root we aren't allowed to write to any of
these anyway so no need to remount them read-only.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 81b9f26a4..5b3cf2cf0 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4724,14 +4724,15 @@ def run_build(args: Args, config: Config, *, resources: Path, package_dir: Optio
     # For extra safety when running as root, remount a bunch of stuff read-only.
     # Because some build systems use output directories in /usr, we only remount
     # /usr read-only if the output directory is not relative to it.
-    remount = ["/etc", "/opt", "/boot", "/efi", "/media"]
-    if not config.output_dir_or_cwd().is_relative_to("/usr"):
-        remount += ["/usr"]
-
-    for d in remount:
-        if Path(d).exists():
-            options = "ro" if d in ("/usr", "/opt") else "ro,nosuid,nodev,noexec"
-            run(["mount", "--rbind", d, d, "--options", options])
+    if INVOKING_USER.invoked_as_root:
+        remount = ["/etc", "/opt", "/boot", "/efi", "/media"]
+        if not config.output_dir_or_cwd().is_relative_to("/usr"):
+            remount += ["/usr"]
+
+        for d in remount:
+            if Path(d).exists():
+                options = "ro" if d in ("/usr", "/opt") else "ro,nosuid,nodev,noexec"
+                run(["mount", "--rbind", d, d, "--options", options])
 
     with (
         complete_step(f"Building {config.name()} image"),