Skip to content

Commit

Permalink
Use --close with flock and drop --no-fork
Browse files Browse the repository at this point in the history 
Let's make sure only flock holds the lock and it's not inherited by
the child process it spawns. This fixes an SELinux denial on some
systems.
  • Loading branch information
@DaanDeMeyer @behrmann
DaanDeMeyer authored and behrmann committed Mar 12, 2024
1 parent 43aaa3e commit 2ac852c
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions mkosi/user.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,14 +135,14 @@ def become_root() -> None:
# generated files are owned by that user. We don't map to the last user in the range as the last user
# is sometimes used in tests as a default value and mapping to that user might break those tests.
newuidmap = [
"flock", "--exclusive", "--no-fork", lock, "newuidmap", pid,
"flock", "--exclusive", "--close", lock, "newuidmap", pid,
0, subuid, SUBRANGE - 100,
SUBRANGE - 100, os.getuid(), 1,
SUBRANGE - 100 + 1, subuid + SUBRANGE - 100 + 1, 99
]

newgidmap = [
"flock", "--exclusive", "--no-fork", lock, "newgidmap", pid,
"flock", "--exclusive", "--close", lock, "newgidmap", pid,
0, subgid, SUBRANGE - 100,
SUBRANGE - 100, os.getgid(), 1,
SUBRANGE - 100 + 1, subgid + SUBRANGE - 100 + 1, 99
Expand Down

0 comments on commit 2ac852c

Please sign in to comment.