From ce2843fb3898f88f0d0896d5172d379ddeb6e6b6 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 23 Aug 2023 13:16:44 +0200 Subject: [PATCH] Make's bwrap() read-only logic optional We only really need this when running scripts, so let's make it configurable and only enable it when running scripts. --- mkosi/__init__.py | 5 +++++ mkosi/distributions/gentoo.py | 6 ++---- mkosi/installer/apt.py | 3 +-- mkosi/installer/dnf.py | 3 +-- mkosi/installer/pacman.py | 3 +-- mkosi/installer/zypper.py | 3 +-- mkosi/run.py | 20 ++++++++++++++------ 7 files changed, 25 insertions(+), 18 deletions(-) diff --git a/mkosi/__init__.py b/mkosi/__init__.py index be92c96c7..ab94e45ac 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -267,6 +267,7 @@ def run_prepare_script(state: MkosiState, build: bool) -> None: bwrap( [state.config.prepare_script, "build"], network=True, + readonly=True, options=finalize_mounts(state.config), scripts={"mkosi-chroot": chroot} | package_manager_scripts(state), env=env | state.config.environment, @@ -277,6 +278,7 @@ def run_prepare_script(state: MkosiState, build: bool) -> None: bwrap( [state.config.prepare_script, "final"], network=True, + readonly=True, options=finalize_mounts(state.config), scripts={"mkosi-chroot": chroot} | package_manager_scripts(state), env=env | state.config.environment, @@ -330,6 +332,7 @@ def run_build_script(state: MkosiState) -> None: bwrap( [state.config.build_script], network=state.config.with_network, + readonly=True, options=finalize_mounts(state.config), scripts={"mkosi-chroot": chroot} | package_manager_scripts(state), env=env | state.config.environment, @@ -367,6 +370,7 @@ def run_postinst_script(state: MkosiState) -> None: bwrap( [state.config.postinst_script, "final"], network=state.config.with_network, + readonly=True, options=finalize_mounts(state.config), scripts={"mkosi-chroot": chroot} | package_manager_scripts(state), env=env | state.config.environment, @@ -404,6 +408,7 @@ def run_finalize_script(state: MkosiState) -> None: bwrap( [state.config.finalize_script], network=state.config.with_network, + readonly=True, options=finalize_mounts(state.config), scripts={"mkosi-chroot": chroot} | package_manager_scripts(state), env=env | state.config.environment, diff --git a/mkosi/distributions/gentoo.py b/mkosi/distributions/gentoo.py index 2216d6565..fde88233f 100644 --- a/mkosi/distributions/gentoo.py +++ b/mkosi/distributions/gentoo.py @@ -15,7 +15,7 @@ from mkosi.run import apivfs_cmd, bwrap, chroot_cmd, run from mkosi.state import MkosiState from mkosi.tree import copy_tree, rmtree from mkosi.types import PathString -from mkosi.util import flatten, sort_packages +from mkosi.util import sort_packages def invoke_emerge(state: MkosiState, packages: Sequence[str] = (), apivfs: bool = True) -> None: @@ -49,7 +49,6 @@ def invoke_emerge(state: MkosiState, packages: Sequence[str] = (), apivfs: bool "--bind", state.cache_dir / "stage3/var", "/var", "--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf", "--bind", state.cache_dir / "repos", "/var/db/repos", - *flatten(["--bind", str(d), str(d)] for d in (state.config.workspace_dir, state.config.cache_dir) if d), ], env=dict( PKGDIR=str(state.cache_dir / "binpkgs"), @@ -145,8 +144,7 @@ class GentooInstaller(DistributionInstaller): options=["--bind", state.cache_dir / "repos", "/var/db/repos"], ) - bwrap(cmd=chroot + ["emerge-webrsync"], network=True, - options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d)) + bwrap(cmd=chroot + ["emerge-webrsync"], network=True) invoke_emerge(state, packages=["sys-apps/baselayout"], apivfs=False) diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py index d84a71a6b..50a0162c2 100644 --- a/mkosi/installer/apt.py +++ b/mkosi/installer/apt.py @@ -6,7 +6,7 @@ from collections.abc import Sequence from mkosi.run import apivfs_cmd, bwrap from mkosi.state import MkosiState from mkosi.types import PathString -from mkosi.util import flatten, sort_packages, umask +from mkosi.util import sort_packages, umask def setup_apt(state: MkosiState, repos: Sequence[str]) -> None: @@ -107,5 +107,4 @@ def invoke_apt( ) -> None: cmd = apivfs_cmd(state.root) if apivfs else [] bwrap(cmd + apt_cmd(state, command) + [operation, *sort_packages(packages)], - options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d), network=True, env=state.config.environment) diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py index c9bab7f22..83522caed 100644 --- a/mkosi/installer/dnf.py +++ b/mkosi/installer/dnf.py @@ -10,7 +10,7 @@ from mkosi.run import apivfs_cmd, bwrap from mkosi.state import MkosiState from mkosi.tree import rmtree from mkosi.types import PathString -from mkosi.util import flatten, sort_packages +from mkosi.util import sort_packages class Repo(NamedTuple): @@ -116,7 +116,6 @@ def dnf_cmd(state: MkosiState) -> list[PathString]: def invoke_dnf(state: MkosiState, command: str, packages: Iterable[str], apivfs: bool = True) -> None: cmd = apivfs_cmd(state.root) if apivfs else [] bwrap(cmd + dnf_cmd(state) + [command, *sort_packages(packages)], - options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d), network=True, env=state.config.environment) fixup_rpmdb_location(state.root) diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py index af7dfc90b..4b0489b45 100644 --- a/mkosi/installer/pacman.py +++ b/mkosi/installer/pacman.py @@ -8,7 +8,7 @@ from mkosi.config import ConfigFeature from mkosi.run import apivfs_cmd, bwrap from mkosi.state import MkosiState from mkosi.types import PathString -from mkosi.util import flatten, sort_packages, umask +from mkosi.util import sort_packages, umask def setup_pacman(state: MkosiState) -> None: @@ -113,5 +113,4 @@ def pacman_cmd(state: MkosiState) -> list[PathString]: def invoke_pacman(state: MkosiState, packages: Sequence[str], apivfs: bool = True) -> None: cmd = apivfs_cmd(state.root) if apivfs else [] bwrap(cmd + pacman_cmd(state) + ["-Sy", *sort_packages(packages)], - options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d), network=True, env=state.config.environment) diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py index 16cf030aa..3b4b7f575 100644 --- a/mkosi/installer/zypper.py +++ b/mkosi/installer/zypper.py @@ -6,7 +6,7 @@ from mkosi.installer.dnf import Repo, fixup_rpmdb_location from mkosi.run import apivfs_cmd, bwrap from mkosi.state import MkosiState from mkosi.types import PathString -from mkosi.util import flatten, sort_packages +from mkosi.util import sort_packages def setup_zypper(state: MkosiState, repos: Sequence[Repo]) -> None: @@ -70,7 +70,6 @@ def invoke_zypper( ) -> None: cmd = apivfs_cmd(state.root) if apivfs else [] bwrap(cmd + zypper_cmd(state) + [verb, *sort_packages(packages), *options], - options=flatten(["--bind", d, d] for d in (state.config.workspace_dir, state.config.cache_dir) if d), network=True, env=state.config.environment) fixup_rpmdb_location(state.root) diff --git a/mkosi/run.py b/mkosi/run.py index 87e8a5a95..80b1a88fb 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -272,6 +272,7 @@ def bwrap( cmd: Sequence[PathString], *, network: bool = False, + readonly: bool = False, options: Sequence[PathString] = (), log: bool = True, scripts: Mapping[str, Sequence[PathString]] = {}, @@ -282,12 +283,19 @@ def bwrap( cmdline: list[PathString] = [ "bwrap", "--dev-bind", "/", "/", - "--remount-ro", "/", - "--ro-bind", "/root", "/root", - "--ro-bind", "/home", "/home", - "--ro-bind", "/var", "/var", - "--ro-bind", "/run", "/run", - "--bind", "/var/tmp", "/var/tmp", + ] + + if readonly: + cmdline += [ + "--remount-ro", "/", + "--ro-bind", "/root", "/root", + "--ro-bind", "/home", "/home", + "--ro-bind", "/var", "/var", + "--ro-bind", "/run", "/run", + "--bind", "/var/tmp", "/var/tmp", + ] + + cmdline += [ "--tmpfs", "/tmp", "--bind", Path.cwd(), Path.cwd(), "--chdir", Path.cwd(), -- 2.47.2