bwrap-helper: Always bind /etc/ssl/certs

The bwrap fhs userenv uses readlink -f to resolve symlinks. It is called in the argument list of bwrap like this: --ro-bind-try $(readlink -f /etc/ssl/certs) /etc/ssl/certs Normally, readlink -f returns the passed path if there is no file at the path. However, this only works, if the parent directory of the file exists. Thus if /etc/ssl does not exist, readlink -f /etc/ssl/certs will return nothing. This causes the argument list of bwrap to be wrong (it has only one argument to --ro-bind-try when it expected two), which causes it to fail with hard to track down errors.
2022-03-12 16:42:06 +01:00 · 2022-03-12 16:42:06 +01:00 · 18652c7580
parent 0de69de256
commit 18652c7580
1 changed files with 1 additions and 1 deletions
--- a/pkgs/bwrap-helper/bwrap-helper.py
+++ b/pkgs/bwrap-helper/bwrap-helper.py
@ -87,6 +87,7 @@ argument_groups = {
            "--dir",
            f"/run/user/{uid}",
            *ro_bind("/etc/localtime"),
+            *ro_bind("/etc/ssl/certs"),
            "--unshare-all",
            "--die-with-parent",
        ],
@ -174,7 +175,6 @@ argument_groups = {
                ro_bind,
                [
                    "/etc/resolv.conf",
-                    "/etc/ssl/certs",
                ],
            ),
        ],