unshare pmbootstrap!

Use sandbox functions to unshare the entire pmbootstrap process with
user namespaces.

This lets us do whatever we want without polluting the global mount
namepsace, and eliminates the need for "pmbootstrap shutdown".

Currently install is broken since it uses loop devices, this should be
addressed by using something like systemd.repartd (or doing all the
offset calculation and gpt stuff ourselves).

Signed-off-by: Casey Connolly <kcxt@postmarketos.org>

pmbootstrap.py

@@ -6,9 +6,38 @@
 import sys
 import pmb
 import os
+from pmb.init import sandbox
 
 original_uid = os.geteuid()
 
+sandbox.acquire_privileges(become_root=False)
+# Unshare mount namespace
+sandbox.unshare(sandbox.CLONE_NEWNS)
+# sandbox.seccomp_suppress(chown=True)
+
+# print("Caps: ")
+# with open("/proc/self/status", "rb") as f:
+#     for line in f.readlines():
+#         if line.startswith(b"CapEff:"):
+#             print(line)
+
+# print(f"cap_sys_admin: {sandbox.have_effective_cap(sandbox.CAP_SYS_ADMIN)}")
+# print(f"single user: {sandbox.userns_has_single_user()}")
+
+# We set up a very basic mount environment, where we just bind mount the host
+# rootfs in. We can extend this in the future to isolate the pmb workdir but
+# for now this is enough.
+fsops = [
+    sandbox.BindOperation(
+        "/",
+        "/",
+        readonly=False,
+        required=True,
+        relative=False,
+    )
+]
+sandbox.setup_mounts(fsops)
+
 # A convenience wrapper for running pmbootstrap from the git repository. This
 # script is not part of the python packaging, so don't add more logic here!
 if __name__ == "__main__":