Mkosi 25 is not compatible with linux-hardened

[dvzrv]

mkosi commit the issue has been seen with

158c2d1fd221e7dd689ea14a1b32617b22764b43

Used host distribution

Arch Linux

Used target distribution

No response

Linux kernel version used

6.10.10-hardened1-1-hardened

CPU architectures issue was seen on

x86_64

Unexpected behaviour you saw

When trying to use this repository's mkosi to run mkosi build on the setup available in this repository, it fails on linux-hardened (user namespaces are enabled using sysctl kernel.unprivileged_userns_clone=1).

cc @anthraxx

Used mkosi config

# SPDX-License-Identifier: LGPL-2.1-or-later
[Build]
CacheDirectory=mkosi.cache
History=yes

[Output]
# These images are (among other things) used for running mkosi which means we need some disk space available so
# default to directory output where disk space isn't a problem.
Format=directory
OutputDirectory=mkosi.output

[Content]
Autologin=yes
SELinuxRelabel=no
ShimBootloader=unsigned
BuildSources=.
BuildSourcesEphemeral=yes

Packages=
        bash
        binutils
        gdb
        less
        nano
        strace
        sudo
        systemd
        tmux
        udev
        zsh

InitrdPackages=
        less

RemoveFiles=
        # The grub install plugin doesn't play nice with booting from virtiofs.
        /usr/lib/kernel/install.d/20-grub.install
        # The dracut install plugin doesn't honor KERNEL_INSTALL_INITRD_GENERATOR.
        /usr/lib/kernel/install.d/50-dracut.install

# Make sure that SELinux doesn't run in enforcing mode even if it's pulled in as a dependency.
KernelCommandLine=
        enforcing=0
        systemd.log_ratelimit_kmsg=0
        systemd.crash_shell
        printk.devkmsg=on
        systemd.early_core_pattern=/core

KernelModulesInitrdExclude=.*
KernelModulesInitrdInclude=default

[Host]
QemuMem=4G

mkosi output

PATH="/home/user/Downloads/mkosi/bin:$PATH" mkosi build
‣ Syncing package manager metadata
Traceback (most recent call last):
  File "/home/user/Downloads/mkosi/mkosi/sandbox.py", line 828, in <module>
  File "/home/user/Downloads/mkosi/mkosi/sandbox.py", line 793, in main
  File "/home/user/Downloads/mkosi/mkosi/sandbox.py", line 602, in execute
  File "/home/user/Downloads/mkosi/mkosi/sandbox.py", line 122, in mount
  File "/home/user/Downloads/mkosi/mkosi/sandbox.py", line 97, in oserror
PermissionError: [Errno 1] Operation not permitted: 'newroot/etc'
‣ "pacman --root=/buildroot --logfile=/dev/null --dbpath=/var/lib/pacman --cachedir=/var/cache/pacman/mkosi --cachedir=/var/cache/pacman/pkg --hookdir=/buildroot/etc/pacman.
d/hooks --arch x86_64 --color auto --noconfirm --sync --refresh" returned non-zero exit code 1.

[DaanDeMeyer]

@dvzrv This is because of https://github.com/anthraxx/linux-hardened/commit/95574b9f01840e512b63d045cc80924c04851741#diff-9c2bed222f3a893e1032fa31590f2296fa2224eef8f82ec46c2166c6a265cf10R128.

Nothing I can do about this in mkosi, we need the unprivileged overlay mounts, you'll have to figure something out on the linux-hardened side.

[DaanDeMeyer]

Turns out we can do something about this for the basic cases

[dvzrv]

Thanks for still looking into this! (sorry, I only now had the time to try them)

With the added changes I see:

‣ Syncing package manager metadata
Traceback (most recent call last):
  File "/home/dave/work/archlinux/mkosi/mkosi/sandbox.py", line 860, in <module>
  File "/home/dave/work/archlinux/mkosi/mkosi/sandbox.py", line 825, in main
  File "/home/dave/work/archlinux/mkosi/mkosi/sandbox.py", line 631, in execute
  File "/home/dave/work/archlinux/mkosi/mkosi/sandbox.py", line 123, in mount
  File "/home/dave/work/archlinux/mkosi/mkosi/sandbox.py", line 98, in oserror
PermissionError: [Errno 1] Operation not permitted: 'newroot/var'
‣ "pacman --root=/buildroot --logfile=/dev/null --dbpath=/var/lib/pacman --cachedir=/var/cache/pacman/mkosi --cachedir=/var/cache/pacman/pkg --hookdir=/buildroot/etc/pacman.d/hooks --arch x86_64 --color auto --noconfirm --sync --refresh" returned non-zero exit code 1.

[DaanDeMeyer]

@dvzrv Try with https://github.com/systemd/mkosi/pull/3080