Demi Marie Obenour <demiobenour@gmail.com> writes:
On 9/19/25 13:50, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
Enforce that anything under /var or /etc is 0755 for directories and executable files and 0644 for anything else. Enforce that anything else is 0555 for directories and executable files and 0444 for anything else. This avoids depending on factors that may depend on the build environment, such as the user's umask.
This requires that /var always exist, so add it to img/app/Makefile.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 3 ++- img/app/Makefile | 2 +- scripts/make-erofs.sh | 21 +++++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -97,7 +97,8 @@ DIRS = \ ext \ run \ proc \ - sys + sys \ + var
FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
diff --git a/img/app/Makefile b/img/app/Makefile index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -57,7 +57,7 @@ VM_FILES = \ etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \ etc/xdg/xdg-desktop-portal/portals.conf
-VM_DIRS = dev run proc sys tmp \ +VM_DIRS = dev run proc sys tmp var \ etc/s6-linux-init/run-image/service \ etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/wait diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -95,4 +95,25 @@ while read -r arg1; do cp -RT -- "$arg1" "$root/$arg2" done
+# Ensure that the permissions in the image are independent +# of those in the git repository or Nix store, except for +# the executable bit. In particular, the mode of those +# outside the Nix store might depend on the user's umask. +# While the image itself is strictly read-only, it makes +# sense to populate an overlayfs over /etc and /var, and +# this overlayfs should be writable by root and readable +# by all users. The remaining paths should not be writable +# by anyone, but should be world-readable. +find "$root" \ + -path "$root/nix/store" -prune -o \ + -path "$root/etc" -prune -o \ + -path "$root/var" -prune -o \ + -type l -o \ + -type d -a -perm 0555 -o \ + -type f -a -perm 0444 -o \ + -execdir chmod ugo-w,ugo+rX -- '{}' + +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + +chmod 0755 "$root" + +# Make the erofs image. mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
The idea here is reproducibility, right? Can the body mention that?
Yes, it is. I will fix this in v2.
And can we limit it to just doing r-Xr-Xr-X for now, and then worry about the overlayfs stuff later if we need to? (This also means we don't have to add /var until we need it.)
systemd-udevd needs /var to be mounted read-write. Without that, its behavior (and that of all other systemd tools) is undefined past a certain point in early boot.
It does? That's surprising to me, since lots of initrds will run systemd-udevd and I suspect not have /var (such as the NixOS one, I think). Looking at systemd's build system, I only see three uses of localstatedir: polkitpkladir, systemdstatedir, and randomseeddir. As far as I can tell, none of these are used by systemd-udevd.
I'd also like to stick to POSIX features for standard utilities where possible, which it should be here. (I know cp -T isn't POSIX. 🤫)
Per 'man 1 find', the find command I provided is POSIX except for -execdir. However, -execdir is also documented as being provided by BSD OSs. The documentation also warns against -exec, though the race that -execdir blocks is irrelevant here.
Yeah, exactly. Might as well use the POSIX one when it suffices.