From 6886e4442597f67ea4153e3f6d9ac6e9444795a5 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 9 Feb 2021 21:18:49 +0000
Subject: [PATCH] scripts: Bind /usr/share/empty over /usr/share/rpm

Now that we inject the `%_dbpath /usr/share/rpm` macro, `rpm -q`
will start using it.  But in RPM script invocation, we don't
want them to see any RPM database at all - trying to query it
should be a clean failure.
---
 src/libpriv/rpmostree-scripts.cxx | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/libpriv/rpmostree-scripts.cxx b/src/libpriv/rpmostree-scripts.cxx
index f7adb08f..4b1f5429 100644
--- a/src/libpriv/rpmostree-scripts.cxx
+++ b/src/libpriv/rpmostree-scripts.cxx
@@ -378,6 +378,9 @@ rpmostree_run_script_in_bwrap_container (int rootfs_fd,
   if (glnx_fstatat (rootfs_fd, "usr/lib/opt", &stbuf, AT_SYMLINK_NOFOLLOW, NULL) && S_ISDIR(stbuf.st_mode))
     rpmostree_bwrap_append_bwrap_argv (bwrap, "--symlink", "usr/lib/opt", "/opt", NULL);
 
+  /* Don't let scripts see the base rpm database by default */
+  rpmostree_bwrap_bind_read (bwrap, "usr/share/empty", "usr/share/rpm");
+
   /* Add ostree-booted API; some scriptlets may work differently on OSTree systems; e.g.
    * akmods. Just create it manually; /run is usually tmpfs, but scriptlets shouldn't be
    * adding stuff there anyway. */
-- 
2.29.2