From 2b4e913e1e2f87e4fce4f35b49160d3a798321c4 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Fri, 9 Jul 2021 16:01:12 +0200
Subject: [PATCH] objectstore: only bind-mount /usr for host trees

The only thing we should ever need from the host is `/usr`. Therefore
instead of bind-mounting the entirety that is `/`, just bind-mount
`/usr`.
---
 osbuild/objectstore.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/osbuild/objectstore.py b/osbuild/objectstore.py
index 8fd8cf82..c275cb32 100644
--- a/osbuild/objectstore.py
+++ b/osbuild/objectstore.py
@@ -254,7 +254,13 @@ class HostTree:
     @contextlib.contextmanager
     def read(self):
         with self.store.tempdir() as tmp:
-            mount("/", tmp)
+            # Create a bare bones root file system
+            # with just /usr mounted from the host
+            usr = os.path.join(tmp, "usr")
+            os.makedirs(usr)
+
+            mount(tmp, tmp)  # ensure / is read-only
+            mount("/usr", usr)
             try:
                 yield tmp
             finally: