From ae0527df18a9c5b94b28351b2265a20012d2fda0 Mon Sep 17 00:00:00 2001
From: Justin Kromlinger <hashworks@archlinux.org>
Date: Fri, 31 Jan 2025 12:02:51 +0100
Subject: [PATCH] Disable sandbox in oci images due to missing kernel landlock

Resolves the `error: restricting filesystem access failed because the
landlock ruleset could not be applied!` when running pacman.

Closes #103.
---
 scripts/make-rootfs.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/make-rootfs.sh b/scripts/make-rootfs.sh
index 82f9e8c..a92bd71 100755
--- a/scripts/make-rootfs.sh
+++ b/scripts/make-rootfs.sh
@@ -18,6 +18,11 @@ cat pacman-conf.d-noextract.conf >> "$BUILDDIR/etc/pacman.conf"
 
 sed 's/Include = /&rootfs/g' < "$BUILDDIR/etc/pacman.conf" > pacman.conf
 
+sed -i '/#DisableSandbox/{c\
+# No kernel landlock in containerd\
+DisableSandbox
+}' "$BUILDDIR/etc/pacman.conf"
+
 cp --recursive --preserve=timestamps rootfs/* "$BUILDDIR/"
 ln -fs /usr/lib/os-release "$BUILDDIR/etc/os-release"