Enforce that images with Overlay=yes only add files

Any extension images built with Overlay=yes should never override files in the base image, so let's add some enforcement to make sure that's the case by automatically removing files that already exist in the base image.
systemd · Jan 20, 2025 · abaa8e2 · abaa8e2
1 parent d18157c
commit abaa8e2
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -175,9 +175,22 @@ def mount_base_trees(context: Context) -> Iterator[None]:
             else:
                 die(f"Unsupported base tree source {path}")
 
-        stack.enter_context(mount_overlay(bases, context.root, upperdir=context.root))
-
-        yield
+        with mount_overlay(bases, context.root, upperdir=context.root):
+            yield
+
+        stack.enter_context(mount_overlay(bases, context.workspace / "lower"))
+
+        for p in context.root.rglob("*"):
+            rel = p.relative_to(context.root)
+            q = context.workspace / "lower" / rel
+
+            if q.is_dir(follow_symlinks=False):
+                if not p.is_dir(follow_symlinks=False):
+                    die(f"/{rel} is a directory in the base tree but not in the overlay")
+                shutil.copystat(q, p, follow_symlinks=False)
+            elif q.exists(follow_symlinks=False):
+                logging.warning(f"Removing duplicate path /{rel} from overlay")
+                p.unlink()
 
 
 def remove_files(context: Context) -> None: