From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 2 Nov 2024 15:11:07 +0000 (+0100)
Subject: Add PATH entries beneath the user's home to PATH in relaxed sandbox
X-Git-Tag: v25~188^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed9d1c48ff27841bf6be8ef5de3604f39457f514;p=thirdparty%2Fmkosi.git

Add PATH entries beneath the user's home to PATH in relaxed sandbox

This handles the case where a user adds ~/.local/bin to the PATH.
Let's make sure we use that even when running with a tools tree.
This might not work for binaries that are built against libraries
from the user's host /usr but there's lots of tools that will either
be statically compiled or written in an interpreted language like
python that will still work even when we switch out /usr from underneath
them.
---

diff --git a/mkosi/resources/man/mkosi.news.7.md b/mkosi/resources/man/mkosi.news.7.md
index 3355232ec..20076a162 100644
--- a/mkosi/resources/man/mkosi.news.7.md
+++ b/mkosi/resources/man/mkosi.news.7.md
@@ -82,6 +82,10 @@
   need to acquire some files for the build process place them somewhere
   sensible within `$BUILDROOT` so that they can be cached when building
   incrementally.
+- When using a tools tree and we use a relaxed sandbox to run a command
+  (qemu, nspawn, ...), we now keep $PATH entries inside the user's home
+  intact. Note that this may cause issues if a PATH entry in your home contains
+  binaries linked against libraries in `/usr` from the host.
 
 ## v24
 
diff --git a/mkosi/run.py b/mkosi/run.py
index d02ec4eb0..5be80a453 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -558,10 +558,23 @@ def sandbox_cmd(
         if network and Path("/etc/resolv.conf").exists():
             cmdline += ["--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf"]
 
+        home = None
+
     cmdline += [
         "--setenv",
         "PATH",
-        f"/scripts:{'/usr/bin:/usr/sbin' if tools != Path('/') else os.environ['PATH']}",
+        ":".join(
+            [
+                *(["/scripts"] if scripts else []),
+                "/usr/bin",
+                "/usr/sbin",
+                *(
+                    [s for s in os.environ["PATH"].split(":") if home and s.startswith(os.fspath(home))]
+                    if tools != Path("/")
+                    else [os.environ["PATH"]]
+                ),
+            ]
+        ),
     ]
 
     if scripts: