From 01ac080103f2bc61ecc23334b00334e421eebb8a Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 21 Jul 2024 22:07:32 +0200
Subject: [PATCH] Force user namespace in bubblewrap if we're not running as
 root

Depending on whether bwrap is installed setuid or not it might try
to not create a user namespace. Let's explicitly tell it to create
one if we're not invoking it as root to make sure one is always
created.
---
 mkosi/sandbox.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index 459199fb4..49e8ca9f3 100644
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -153,6 +153,11 @@ def sandbox_cmd(
         # We mounted a subdirectory of TMPDIR to /var/tmp so we unset TMPDIR so that /tmp or /var/tmp are used instead.
         "--unsetenv", "TMPDIR",
     ]
+
+    # Make sure that bubblewrap uses a user namespace even if it's installed as setuid.
+    if os.getuid() != 0:
+        cmdline += ["--unshare-user"]
+
     mounts += [Mount(tools / "usr", "/usr", ro=True)]
 
     if relaxed:
-- 
2.47.3