Demi Marie Obenour <demiobenour@gmail.com> writes:

Enforce that anything under /var or /etc is 0755 for directories and executable files and 0644 for anything else. Enforce that anything else is 0555 for directories and executable files and 0444 for anything else. This avoids depending on factors that may depend on the build environment, such as the user's umask.

This requires that /var always exist, so add it to img/app/Makefile.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 3 ++- img/app/Makefile | 2 +- scripts/make-erofs.sh | 21 +++++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-)

This doesn't seem to have addressed the review comments from last time[1] — the special handling for directories that might want to use overlayfs in future is still there even though it's uncertain we'll ever do that, and so is -execdir. To save us both time, I've just gone ahead and made the changes, and pushed a simplified version of this. Thanks for fixing it — I'm glad I didn't have to work out that find command myself, and now we can move forward with running things as non-root. [1]: https://spectrum-os.org/lists/archives/spectrum-devel/877bxs570x.fsf@alyssa....

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index aa45ca1d5c18d0dfb78d19267f263cc4222e8e84..ba1beddabb46afa6b20e66177107fbe6b6f42bd2 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -40,7 +40,8 @@ DIRS = \ ext \ proc \ run \ - sys + sys \ + var

FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo

diff --git a/img/app/Makefile b/img/app/Makefile index 981889ebe55d9ba03228977f3dc0ea3f26d5c4fb..2540075fbb2cdcbcde29853cb0ffe676de0b9063 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root mv $@.tmp $@

-DIRS = dev run proc sys tmp \ +DIRS = dev run proc sys tmp var \ etc/s6-linux-init/run-image/service \ etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/wait diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index ad04844387c880047a79f2f05e1e985d8bd4229c..5e283a380dbdae3dbfb83d43915e5015a2ae6f04 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -68,4 +68,25 @@ while read -r arg1; do cp -RT -- "$arg1" "$root/$arg2" done

+# Ensure that the permissions in the image are independent +# of those in the git repository or Nix store, except for +# the executable bit. In particular, the mode of those +# outside the Nix store might depend on the user's umask. +# While the image itself is strictly read-only, it makes +# sense to populate an overlayfs over /etc and /var, and +# this overlayfs should be writable by root and readable +# by all users. The remaining paths should not be writable +# by anyone, but should be world-readable. +find "$root" \ + -path "$root/nix/store" -prune -o \ + -path "$root/etc" -prune -o \ + -path "$root/var" -prune -o \ + -type l -o \ + -type d -a -perm 0555 -o \ + -type f -a -perm 0444 -o \ + -execdir chmod ugo-w,ugo+rX -- '{}' + +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + +chmod 0755 "$root" + +# Make the erofs image. mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"

--- base-commit: c5d5786d3dc938af0b279c542d1e43bce381b4b9 change-id: 20251021-fix-permissions-4549d0653368

-- Sincerely, Demi Marie Obenour (she/her/hers)