From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 28 Jul 2023 17:07:51 +0000 (+0200)
Subject: Move sandboxing from chroot_cmd() to bwrap()
X-Git-Tag: v15~58
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbdf8ea3eec6edbec29b02aad3805cfdcb5f041b;p=thirdparty%2Fmkosi.git

Move sandboxing from chroot_cmd() to bwrap()

Let's leave it to bwrap() to set up any sandboxing that we need.
Let's also add a bit more sandboxing to bwrap(), to avoid details
from the host accidentally leaking into the image builds.
---

diff --git a/mkosi/run.py b/mkosi/run.py
index 01c82e898..5a5a65f45 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -263,7 +263,12 @@ def bwrap(
         "--dev-bind", "/", "/",
         "--chdir", Path.cwd(),
         "--unshare-pid",
+        "--unshare-ipc",
+        "--unshare-cgroup",
         "--die-with-parent",
+        "--proc", "/proc",
+        "--dev", "/dev",
+        "--ro-bind", "/sys", "/sys",
         *options,
     ]
 
@@ -294,8 +299,11 @@ def bwrap(
 
     if apivfs:
         chmod = f"chmod 1777 {apivfs / 'tmp'} {apivfs / 'var/tmp'} {apivfs / 'dev/shm'}"
+        # Make sure anything running in the apivfs directory thinks it's in a container. $container can't
+        # always be accessed so we write /run/host/container-manager as well which is always accessible.
+        container = f"mkdir {apivfs}/run/host && echo mkosi > {apivfs}/run/host/container-manager"
     else:
-        chmod = ":"
+        chmod = container = ":"
 
     with tempfile.TemporaryDirectory(prefix="mkosi-var-tmp") as var_tmp,\
          tempfile.TemporaryDirectory(prefix="mkosi-scripts") as d:
@@ -325,7 +333,7 @@ def bwrap(
                 "--ro-bind", apivfs / "etc/machine-id", apivfs / "etc/machine-id",
             ]
 
-        cmdline += ["sh", "-c", f"{chmod} && exec $0 \"$@\" || exit $?"]
+        cmdline += ["sh", "-c", f"{chmod} && {container} && exec $0 \"$@\" || exit $?"]
 
         try:
             result = run([*cmdline, *cmd], env=env, log=False)
@@ -350,11 +358,7 @@ def bwrap(
 def chroot_cmd(root: Path, *, options: Sequence[PathString] = (), network: bool = False) -> Sequence[PathString]:
     cmdline: list[PathString] = [
         "bwrap",
-        "--unshare-ipc",
-        "--unshare-pid",
-        "--unshare-cgroup",
         "--dev-bind", root, "/",
-        "--die-with-parent",
         "--setenv", "container", "mkosi",
         "--setenv", "SYSTEMD_OFFLINE", str(int(network)),
         "--setenv", "HOME", "/",