systemd · DaanDeMeyer · Mar 12, 2025 · Mar 11, 2025 · Mar 11, 2025 · Mar 11, 2025
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -87,7 +87,12 @@
 from mkosi.kmod import gen_required_kernel_modules, loaded_modules, process_kernel_modules
 from mkosi.log import ARG_DEBUG, complete_step, die, log_notice, log_step
 from mkosi.manifest import Manifest
-from mkosi.mounts import finalize_certificate_mounts, finalize_source_mounts, mount_overlay
+from mkosi.mounts import (
+    finalize_certificate_mounts,
+    finalize_source_mounts,
+    finalize_volatile_tmpdir,
+    mount_overlay,
+)
 from mkosi.pager import page
 from mkosi.partition import Partition, finalize_root, finalize_roothash
 from mkosi.qemu import (
@@ -114,6 +119,7 @@
     workdir,
 )
 from mkosi.sandbox import (
+    CAP_SYS_ADMIN,
     CLONE_NEWNS,
     MOUNT_ATTR_NODEV,
     MOUNT_ATTR_NOEXEC,
@@ -123,6 +129,7 @@
     MS_SLAVE,
     __version__,
     acquire_privileges,
+    have_effective_cap,
     join_new_session_keyring,
     mount,
     mount_rbind,
@@ -499,7 +506,12 @@ def setup_build_overlay(context: Context, volatile: bool = False) -> Iterator[No
         if volatile:
             context.lowerdirs = [d]
             context.upperdir = Path(
-                stack.enter_context(tempfile.TemporaryDirectory(prefix="volatile-overlay"))
+                stack.enter_context(
+                    tempfile.TemporaryDirectory(
+                        prefix="volatile-overlay.",
+                        dir=finalize_volatile_tmpdir(),
+                    )
+                )
             )
             os.chmod(context.upperdir, d.stat().st_mode)
         else:
@@ -4888,12 +4900,11 @@ def run_build(
     metadata_dir: Path,
     package_dir: Optional[Path] = None,
 ) -> None:
-    if os.getuid() != 0:
+    if not have_effective_cap(CAP_SYS_ADMIN):
         acquire_privileges()
-
-    unshare(CLONE_NEWNS)
-
-    if os.getuid() == 0:
+        unshare(CLONE_NEWNS)
+    else:
+        unshare(CLONE_NEWNS)
         mount("", "/", "", MS_SLAVE | MS_REC, "")
 
     # For extra safety when running as root, remount a bunch of directories read-only unless the output

diff --git a/mkosi/mounts.py b/mkosi/mounts.py
@@ -10,7 +10,7 @@
 
 from mkosi.config import BuildSourcesEphemeral, Config
 from mkosi.log import die
-from mkosi.sandbox import OverlayOperation
+from mkosi.sandbox import OVERLAYFS_SUPER_MAGIC, OverlayOperation, statfs
 from mkosi.util import PathString, flatten
 
 
@@ -30,6 +30,20 @@ def delete_whiteout_files(path: Path) -> None:
             entry.unlink()
 
 
+def finalize_volatile_tmpdir() -> Path:
+    if tempfile.tempdir and statfs(tempfile.tempdir) != OVERLAYFS_SUPER_MAGIC:
+        return Path(tempfile.tempdir)
+
+    for path in ("/var/tmp", "/tmp", "/dev/shm"):
+        if Path(path).exists() and statfs(path) != OVERLAYFS_SUPER_MAGIC:
+            return Path(path)
+
+    die(
+        "Cannot find temporary directory for volatile overlayfs upperdir",
+        hint="Either /var/tmp, /tmp or /dev/shm must exist and not be located on overlayfs",
+    )
+
+
 @contextlib.contextmanager
 def mount_overlay(
     lowerdirs: Sequence[Path],
@@ -39,7 +53,14 @@ def mount_overlay(
 ) -> Iterator[Path]:
     with contextlib.ExitStack() as stack:
         if upperdir is None:
-            upperdir = Path(stack.enter_context(tempfile.TemporaryDirectory(prefix="volatile-overlay")))
+            upperdir = Path(
+                stack.enter_context(
+                    tempfile.TemporaryDirectory(
+                        prefix="volatile-overlay.",
+                        dir=finalize_volatile_tmpdir(),
+                    )
+                )
+            )
             st = lowerdirs[-1].stat()
             os.chmod(upperdir, st.st_mode)
 
@@ -85,7 +106,12 @@ def finalize_source_mounts(
                     upperdir.mkdir(mode=src.stat().st_mode, exist_ok=True)
                 else:
                     upperdir = Path(
-                        stack.enter_context(tempfile.TemporaryDirectory(prefix="volatile-overlay."))
+                        stack.enter_context(
+                            tempfile.TemporaryDirectory(
+                                prefix="volatile-overlay.",
+                                dir=finalize_volatile_tmpdir(),
+                            )
+                        )
                     )
                     os.chmod(upperdir, src.stat().st_mode)
 

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
@@ -452,7 +452,7 @@ def become_user(uid: int, gid: int) -> None:
 
 
 def acquire_privileges(*, become_root: bool = False) -> bool:
-    if os.getuid() == 0 or (not become_root and have_effective_cap(CAP_SYS_ADMIN)):
+    if have_effective_cap(CAP_SYS_ADMIN) and (os.getuid() == 0 or not become_root):
         return False
 
     if become_root:

diff --git a/mkosi/tree.py b/mkosi/tree.py
@@ -87,6 +87,10 @@ def maybe_make_nocow(path: Path) -> None:
             raise
 
 
+def tree_has_selinux_xattr(path: Path) -> bool:
+    return any("security.selinux" in os.listxattr(p) for p in (path, *path.rglob("*")))
+
+
 def copy_tree(
     src: Path,
     dst: Path,
@@ -109,9 +113,7 @@ def copy_tree(
         attrs += ",timestamps,ownership"
 
         # Trying to copy selinux xattrs to overlayfs fails with "Operation not supported" in containers.
-        if statfs(os.fspath(dst.parent)) != OVERLAYFS_SUPER_MAGIC or "security.selinux" not in os.listxattr(
-            src
-        ):
+        if statfs(os.fspath(dst.parent)) != OVERLAYFS_SUPER_MAGIC or not tree_has_selinux_xattr(src):
             attrs += ",xattr"
 
     def copy() -> None: