From: Demi Marie Obenour <demiobenour@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
Cc: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
Subject: [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images
Date: Thu, 04 Sep 2025 17:26:29 -0400 [thread overview]
Message-ID: <20250904-systemd-v1-7-2a63b790a913@gmail.com> (raw)
In-Reply-To: <20250904-systemd-v1-0-2a63b790a913@gmail.com>
Enforce that anything under /var or /etc is 0755 for directories and
executable files and 0644 for anything else. Enforce that anything else
is 0555 for directories and executable files and 0444 for anything else.
This avoids depending on factors that may depend on the build
environment, such as the user's umask.
This requires that /var always exist, so add it to img/app/Makefile.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
host/rootfs/Makefile | 3 ++-
img/app/Makefile | 2 +-
scripts/make-erofs.sh | 21 +++++++++++++++++++++
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -97,7 +97,8 @@ DIRS = \
ext \
run \
proc \
- sys
+ sys \
+ var
FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
diff --git a/img/app/Makefile b/img/app/Makefile
index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -57,7 +57,7 @@ VM_FILES = \
etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
etc/xdg/xdg-desktop-portal/portals.conf
-VM_DIRS = dev run proc sys tmp \
+VM_DIRS = dev run proc sys tmp var \
etc/s6-linux-init/run-image/service \
etc/s6-linux-init/run-image/user \
etc/s6-linux-init/run-image/wait
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -95,4 +95,25 @@ while read -r arg1; do
cp -RT -- "$arg1" "$root/$arg2"
done
+# Ensure that the permissions in the image are independent
+# of those in the git repository or Nix store, except for
+# the executable bit. In particular, the mode of those
+# outside the Nix store might depend on the user's umask.
+# While the image itself is strictly read-only, it makes
+# sense to populate an overlayfs over /etc and /var, and
+# this overlayfs should be writable by root and readable
+# by all users. The remaining paths should not be writable
+# by anyone, but should be world-readable.
+find "$root" \
+ -path "$root/nix/store" -prune -o \
+ -path "$root/etc" -prune -o \
+ -path "$root/var" -prune -o \
+ -type l -o \
+ -type d -a -perm 0555 -o \
+ -type f -a -perm 0444 -o \
+ -execdir chmod ugo-w,ugo+rX -- '{}' +
+find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
+chmod 0755 "$root"
+
+# Make the erofs image.
mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
--
2.51.0
next prev parent reply other threads:[~2025-09-04 23:48 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-04 21:26 [PATCH 00/20] Many image fixes and systemd integration Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 01/20] scripts/make-erofs.sh: Ensure that / is world-readable Demi Marie Obenour
2025-09-08 8:21 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 02/20] scripts/make-erofs.sh: Do not read one byte at a time Demi Marie Obenour
2025-09-08 8:23 ` Alyssa Ross
2025-09-08 16:57 ` Demi Marie Obenour
2025-09-09 15:19 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 03/20] scripts/make-erofs.sh: Avoid unneeded calls to awk and chmod Demi Marie Obenour
2025-09-08 8:28 ` Alyssa Ross
2025-09-08 17:14 ` Demi Marie Obenour
2025-09-10 18:45 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 04/20] scripts/make-erofs.sh: Validate all paths Demi Marie Obenour
2025-09-08 8:36 ` Alyssa Ross
2025-09-08 18:21 ` Demi Marie Obenour
2025-09-10 18:54 ` Alyssa Ross
2025-09-21 12:09 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 05/20] scripts/make-erofs.sh: Avoid unneeded calls to dirname Demi Marie Obenour
2025-09-10 20:04 ` Alyssa Ross
2025-09-10 20:06 ` Demi Marie Obenour
2025-09-19 16:47 ` Alyssa Ross
2025-09-19 19:04 ` Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 06/20] scripts/make-erofs.sh: Avoid unneeded calls to mkdir Demi Marie Obenour
2025-09-08 8:39 ` Alyssa Ross
2025-09-04 21:26 ` Demi Marie Obenour [this message]
2025-09-08 8:46 ` [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images Alyssa Ross
2025-09-08 17:16 ` Demi Marie Obenour
2025-09-19 17:50 ` Alyssa Ross
2025-09-19 19:18 ` Demi Marie Obenour
2025-09-21 12:23 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 08/20] Standardize directories and symlinks " Demi Marie Obenour
2025-09-08 8:59 ` Alyssa Ross
2025-09-08 18:05 ` Demi Marie Obenour
2025-09-19 17:53 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 09/20] Add os-release file Demi Marie Obenour
2025-09-08 9:12 ` Alyssa Ross
2025-09-08 18:07 ` Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 10/20] host/rootfs: Set -eu in build Demi Marie Obenour
2025-09-08 9:13 ` Alyssa Ross
2025-09-08 18:08 ` Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 11/20] Add /dev/fd and /dev/std* Demi Marie Obenour
2025-09-08 9:18 ` Alyssa Ross
2025-09-08 18:12 ` Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 12/20] host/rootfs: Do not read from /dev/tty1 Demi Marie Obenour
2025-09-08 9:19 ` Alyssa Ross
2025-09-08 18:18 ` Demi Marie Obenour
2025-09-19 18:22 ` Alyssa Ross
2025-09-19 19:00 ` Demi Marie Obenour
2025-09-21 9:01 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 13/20] host/rootfs: pass API socket as fd 3, not fd 0 Demi Marie Obenour
2025-09-08 9:44 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 14/20] host/rootfs: Disable unneeded BusyBox tools Demi Marie Obenour
2025-09-08 9:24 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 15/20] host/rootfs: Use real less, not BusyBox less Demi Marie Obenour
2025-09-08 9:25 ` Alyssa Ross
2025-09-08 18:16 ` Demi Marie Obenour
2025-09-19 18:45 ` Alyssa Ross
2025-09-19 19:01 ` Demi Marie Obenour
2025-09-21 9:02 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 16/20] host/rootfs: explicitly set PATH in network add script Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 17/20] Use /etc/s6-rc/compiled for compiled s6-rc directory Demi Marie Obenour
2025-09-08 9:27 ` Alyssa Ross
2025-09-08 18:15 ` Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 18/20] host/rootfs: virtiofsd: Do not use FD 0 as the socket Demi Marie Obenour
2025-09-08 9:44 ` Alyssa Ross
2025-09-04 21:26 ` [PATCH 19/20] host/rootfs: Disable unneeded busybox stuff Demi Marie Obenour
2025-09-04 21:26 ` [PATCH 20/20] host/rootfs: Switch to systemd Demi Marie Obenour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250904-systemd-v1-7-2a63b790a913@gmail.com \
--to=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
--cc=hi@alyssa.is \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).