Don't remount directory read-only if output directory is located in it

See #3083
systemd · Oct 1, 2024 · 3454f7b · 3454f7b
1 parent c218e80
commit 3454f7b
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -4184,18 +4184,18 @@ def run_build(
     if os.getuid() == 0:
         mount("", "/", "", MS_SLAVE | MS_REC, "")
 
-    # For extra safety when running as root, remount a bunch of stuff read-only. Because some build systems
-    # use output directories in /usr, we only remount /usr read-only if the output directory is not relative
-    # to it.
+    # For extra safety when running as root, remount a bunch of directories read-only unless the output
+    # directory is located in it.
     if os.getuid() == 0:
-        remount = ["/etc", "/opt", "/boot", "/efi", "/media"]
-        if not config.output_dir_or_cwd().is_relative_to("/usr"):
-            remount += ["/usr"]
+        remount = ["/etc", "/opt", "/boot", "/efi", "/media", "/usr"]
 
         for d in remount:
             if not Path(d).exists():
                 continue
 
+            if config.output_dir_or_cwd().is_relative_to(d):
+                continue
+
             attrs = MOUNT_ATTR_RDONLY
             if d not in ("/usr", "/opt"):
                 attrs |= MOUNT_ATTR_NOSUID | MOUNT_ATTR_NODEV | MOUNT_ATTR_NOEXEC