BIN: Update build/sandbox-venv

Author: kernc

build/sandbox-venv

@@ -4,6 +4,8 @@
 # Also re‑wrap any new scripts post installation by pip etc.
 # shellcheck disable=SC2317
 set -eu
+# shellcheck disable=SC3040
+case "$(set -o)" in *pipefail*) set -o pipefail ;; esac
 
 for arg; do case "$arg" in -h|-\?|--help) echo "Usage: ${0##*/} [VENV_DIR] [BWRAP_OPTS]    # Dir defaults to .venv"; exit ;; esac; done
 
@@ -60,7 +62,8 @@ import shutil
 import subprocess
 import sys
 if __name__ == '__main__':
-    subprocess.run([shutil.which('/bin/bash') or '/bin/sh', *sys.argv[1:]])
+    shell = shutil.which('/bin/bash') or '/bin/sh'
+    sys.exit(subprocess.run([shell, *sys.argv[1:]]).returncode)
 EOF
 }
 
@@ -101,6 +104,8 @@ exit 0
 # sandbox-venv: Secure container sandbox venv wrapper (GENERATED CODE)
 # pip wrapper: Re-run sandbox-venv after every pip installation
 set -u
+# shellcheck disable=SC3040
+case "$(set -o)" in *pipefail*) set -o pipefail ;; esac
 alias realpath='realpath --no-symlinks'
 
 venv="$(realpath "${0%/*}/..")"
@@ -144,7 +149,8 @@ exit $pip_return_status
 #!/bin/sh
 # sandbox-venv: Secure container sandbox venv wrapper (GENERATED CODE)
 set -eu
-
+# shellcheck disable=SC3040
+case "$(set -o)" in *pipefail*) set -o pipefail ;; esac
 alias realpath='realpath --no-symlinks'
 warn () { echo "sandbox-venv/wrapper: $*" >&2; }
 
@@ -170,18 +176,23 @@ executables="
     /usr/bin/python3
 
     /usr/bin/git
+    /usr/bin/git-receive-pack
+    /usr/bin/git-upload-archive
+    /usr/bin/git-upload-pack
 
     /bin/bash
     /bin/env
     /bin/ls
-    /bin/sh"
+    /bin/sh
+    /bin/uname
+    "
 
 case $- in *x*) xtrace=-x ;; *) xtrace=+x ;; esac; set +x
 
 # Collect binaries' lib dependencies
 lib_deps () {
-    readelf -l "$1" | awk '/interpreter/ {print $NF}' | tr -d '[]'
-    ldd "$1" | awk '/=>/ { print $3 }' | { grep -E '^/' || true; }
+    { readelf -l "$1" 2>/dev/null || true; } | awk '/interpreter/ {print $NF}' | tr -d '[]'
+    { ldd "$1" 2>/dev/null || true; } | awk '/=>/ { print $3 }' | { grep -E '^/' || true; }
 }
 collect="$executables"
 for exe in $executables; do
@@ -193,6 +204,7 @@ done
 root_so_lib_dirs="
     /usr/lib/python3*/lib-dynload
     /usr/lib64/python3*/lib-dynload"
+# XXX: If some `git` tools are failing, add $(find /usr/lib/git-core -type f)
 for exe in $(find "$venv/lib" $root_so_lib_dirs -name '*.so' 2>/dev/null || true); do
     collect="$collect
         $(lib_deps "$exe")"
@@ -208,9 +220,14 @@ git_libs="
     /usr/lib*/git-core
 "
 ro_bind_extra="
+    /etc/hosts
     /etc/resolv.conf
-    /usr/share/locale/
+
+    /etc/ld.so.cache
+    /etc/os-release
+    /usr/share/locale
     /usr/share/zoneinfo
+
     /usr/share/ca-certificates*
     /etc/pki
     /etc/ssl
@@ -281,7 +298,7 @@ set -- --bind "$venv/cache" "$home/.cache" \
        --bind "$pip_cache" "$home/.cache/pip" "$@"
 
 # Pass our own redacted copy of env
-for var in $(env | grep -E '^(USER|LOGNAME|UID|SHLVL|SHELL|TERM|LANG|LC_.*|HOSTNAME)$'); do
+for var in $(env | grep -E '^(USER|LOGNAME|UID|PATH|TERM|LANGUAGE|LANG|LC_.*?|HOSTNAME)='); do
     set -- --setenv "${var%%=*}" "${var#*=}" "$@"
 done