From 1a5807fafc10d54eacf19315172d67c27fe68bd7 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 30 Apr 2024 15:32:11 +0200
Subject: [PATCH] vmspawn: Run with sandbox

Now that we can look up binaries in --extra-search-paths=, we can run
vmspawn with a sandbox as well.
---
 mkosi/vmspawn.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mkosi/vmspawn.py b/mkosi/vmspawn.py
index 3bab311c1..9bc0027c6 100644
--- a/mkosi/vmspawn.py
+++ b/mkosi/vmspawn.py
@@ -102,4 +102,11 @@ def run_vmspawn(args: Args, config: Config) -> None:
 
         cmdline += [*args.cmdline, *config.kernel_command_line_extra]
 
-        run(cmdline, stdin=sys.stdin, stdout=sys.stdout, env=os.environ | config.environment, log=False)
+        run(
+            cmdline,
+            stdin=sys.stdin,
+            stdout=sys.stdout,
+            env=os.environ | config.environment,
+            log=False,
+            sandbox=config.sandbox(binary=cmdline[0], network=True, devices=True, relaxed=True),
+        )
-- 
2.47.2