From 3454f7bd4ef0336ec80a117d593baaef0fe53398 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Tue, 1 Oct 2024 09:44:36 +0200 Subject: [PATCH] Don't remount directory read-only if output directory is located in it See #3083 --- mkosi/__init__.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mkosi/__init__.py b/mkosi/__init__.py index bb42fbd78..b1a73fe43 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -4184,18 +4184,18 @@ def run_build( if os.getuid() == 0: mount("", "/", "", MS_SLAVE | MS_REC, "") - # For extra safety when running as root, remount a bunch of stuff read-only. Because some build systems - # use output directories in /usr, we only remount /usr read-only if the output directory is not relative - # to it. + # For extra safety when running as root, remount a bunch of directories read-only unless the output + # directory is located in it. if os.getuid() == 0: - remount = ["/etc", "/opt", "/boot", "/efi", "/media"] - if not config.output_dir_or_cwd().is_relative_to("/usr"): - remount += ["/usr"] + remount = ["/etc", "/opt", "/boot", "/efi", "/media", "/usr"] for d in remount: if not Path(d).exists(): continue + if config.output_dir_or_cwd().is_relative_to(d): + continue + attrs = MOUNT_ATTR_RDONLY if d not in ("/usr", "/opt"): attrs |= MOUNT_ATTR_NOSUID | MOUNT_ATTR_NODEV | MOUNT_ATTR_NOEXEC