From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 14 Jan 2024 17:02:39 +0000 (+0100)
Subject: Make sure /etc/mtab exists in sandbox
X-Git-Tag: v20.2~22^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2283%2Fhead;p=thirdparty%2Fmkosi.git

Make sure /etc/mtab exists in sandbox

Required for pacman's CheckSpace option. To avoid messing with the
package manager tree /etc too much, we bind mount individual
subdirectories of it instead of the entire directory.
---

diff --git a/mkosi/context.py b/mkosi/context.py
index e0180fd63..ba4eb8ce7 100644
--- a/mkosi/context.py
+++ b/mkosi/context.py
@@ -8,7 +8,7 @@ from typing import Optional
 from mkosi.config import Args, Config
 from mkosi.tree import make_tree
 from mkosi.types import PathString
-from mkosi.util import umask
+from mkosi.util import flatten, umask
 
 
 class Context:
@@ -70,10 +70,13 @@ class Context:
             devices=devices,
             scripts=scripts,
             options=[
-                # This mount is writable so bwrap can create extra directories or symlinks inside of it as
-                # needed. This isn't a problem as the package manager directory is created by mkosi and
-                # thrown away when the build finishes.
-                "--bind", self.pkgmngr / "etc", "/etc",
+                # These mounts are writable so bubblewrap can create extra directories or symlinks inside of it as
+                # needed. This isn't a problem as the package manager directory is created by mkosi and thrown away
+                # when the build finishes.
+                *flatten(
+                    ["--bind", os.fspath(self.pkgmngr / "etc" / p.name), f"/etc/{p.name}"]
+                    for p in (self.pkgmngr / "etc").iterdir()
+                ),
                 *options,
                 *(["--ro-bind", os.fspath(p), os.fspath(p)] if (p := self.pkgmngr / "usr").exists() else []),
             ],
diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index df4035edf..555981b89 100644
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -138,6 +138,9 @@ def sandbox_cmd(
         *options,
     ]
 
+    if not relaxed:
+        cmdline += ["--symlink", "../proc/self/mounts", "/etc/mtab"]
+
     # If we're using /usr from a tools tree, we have to use /etc/alternatives from the tools tree as well if it
     # exists since that points directly back to /usr. Apply this after the options so the caller can mount
     # something else to /etc without overriding this mount. In relaxed mode, we only do this if /etc/alternatives
@@ -152,12 +155,15 @@ def sandbox_cmd(
     if network and not relaxed:
         cmdline += ["--bind", "/etc/resolv.conf", "/etc/resolv.conf"]
 
-    if devices:
-        shm = ":"
-    else:
-        shm = "chmod 1777 /dev/shm"
+    # bubblewrap creates everything with a restricted mode so relax stuff as needed.
+    ops = []
+    if not devices:
+        ops += ["chmod 1777 /dev/shm"]
+    if not relaxed:
+        ops += ["chmod 755 /etc"]
+    ops += ["exec $0 \"$@\""]
 
-    cmdline += ["sh", "-c", f"{shm} && exec $0 \"$@\""]
+    cmdline += ["sh", "-c", " && ".join(ops)]
 
     return cmdline