Merge pull request 'Add /bin/sh to bubblewrap sandbox' (#3551) from jfly/clan-core:bin-sh-in-sandbox into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/3551
2025-05-12 10:07:56 +00:00
parent 556fd8845e 5726dd1010
commit 0064a8bfbc
2 changed files with 2 additions and 0 deletions
--- a/pkgs/clan-cli/clan_cli/facts/generate.py
+++ b/pkgs/clan-cli/clan_cli/facts/generate.py
@@ -48,6 +48,7 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s
            "--unshare-all",
            "--tmpfs",  "/",
            "--ro-bind", "/nix/store", "/nix/store",
+            "--ro-bind", "/bin/sh", "/bin/sh",
            "--dev", "/dev",
            # not allowed to bind procfs in some sandboxes
            "--bind", str(facts_dir), str(facts_dir),
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -103,6 +103,7 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
            "--unshare-all",
            "--tmpfs",  "/",
            "--ro-bind", "/nix/store", "/nix/store",
+            "--ro-bind", "/bin/sh", "/bin/sh",
            *(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
            "--dev", "/dev",
            # not allowed to bind procfs in some sandboxes