From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id F35834DE1; Thu, 04 Sep 2025 23:48:01 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 2AEAB4D7A; Thu, 04 Sep 2025 23:47:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) by atuin.qyliss.net (Postfix) with ESMTPS id C7B804D21 for ; Thu, 04 Sep 2025 23:47:49 +0000 (UTC) Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-71d603acc23so15994337b3.1 for ; Thu, 04 Sep 2025 16:47:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1757029668; x=1757634468; darn=spectrum-os.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=da3vbQa1V3iEsBsfilAewRoPGdU0tDhrLsP+zSqQo5Y=; b=NZZvZopRbPnzouppneD4nzhG2FjcFbJ1d/1ajIOD2wfIkuzswOFKOwPHdGGHF9k9f3 NZogLfhND2m/DZ5TqtUyKBGMTr91udAEAD+yFWZvcdlp9xLR4BmSlKMaXs/DJoZGM0pD /ok1p3e5kptymeg6B90np8asp0IRLOai17PB00kdE6KKWVaCc9CerKu4L4ZFWg/Uyxji H2Z+t1Phjh9Ubi1vf2GRbzP6OdTwcc0PwONg2/ZbYttznbfZDVw2uzEqlnNEILgtWfC9 tGIZlZ7Drh/BOlmwBC2n0lQOKAi+Iv6G1zALadyYhLRrjrUOfnRAsiFjqtDL2MicZW+B zvpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757029668; x=1757634468; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=da3vbQa1V3iEsBsfilAewRoPGdU0tDhrLsP+zSqQo5Y=; b=u2R7aHflHwyvvUBMCuCimXESHYnB0pINAmDwosPl/F2E1xN5CKvA56BHv/5swygs6C KwGP/SH5AOKYGW76mQpCFkgBlWIRogtzlRw4Iwi6piOinU2LJkVCbQ+YW4sYA85WUekz IkMNxWzENZHSqFhn4jfvKi4L2NGhJOOUt6vBq+zxc0gwFASc4IOVSG2+Ynajz+wdblp9 8kbEhPUsUFKA+SPHGFud1e/6mBjMcHBG77MGv2yalvTdLm77qQwe0FomXxQ8cNvFQtnu cGQkg5LeP1kn11I6odHI3rz8BSJhMzZmUW69Tfkw4RGOm27RQbicbfqW5n/BaG7DhNAP DzOw== X-Gm-Message-State: AOJu0YxiyW0Q4zTZ0TK5RJFdqzUwTQf9MBukBd/dbmLkV9AgCU/Kv1rr 3HYVUeErma6fFh9syGU4XQo7omrCsjszVxfrv+5yM76NOlJ+93MH6Hq9sLIai/O3 X-Gm-Gg: ASbGncsupKSbmx6F7xHD7yiSs2WLZ3PKJ7vs1l610NIjwoBN0HHU03CaJh7Sjh1hKZE ClXRR8ReQrQd5lssst2uYnwTJx6RpPbqQvaMVsLY3cUg4SGrJSIYHeQdpzOgUEuOxykGv+ZNhc6 c45lpjhpOXe2eL40mfP8+M9Ybk7PosJt0QMDlIjh16uc0PSBAes9lw8wx3BXinOw/KcYOpxkM44 DqzRGJTnYJy16KtQS9Wbcq9bdi2o6pyLvqvQhjiJAG+riekedQ5oOIVR2CKT8qwLjfWebBb5XDp yIZTAWNz19q61pEvogxjocSssGSbvuALuGier5tXHQ+TduQxII228f33d8pkMmAn/75Gh8EQyk/ FOIdXzbzqqOrcoBedrPwrnFnkeznaEx0zRndoMWH1/mJ7rq3QVhYr5zkglLNEZIT3GxQh2X0MsW T8XxKb2yQUYL4qc4DwndOqsDvre/hsuT3pTFA8e6lFG1U= X-Google-Smtp-Source: AGHT+IEGSlM7LzDTrKTv4q8jX2wVZ/J5+5oTSTuwCsFgAwVBrjaOcb2FS7Ot1W4PjdDuq/TD1ZNiZQ== X-Received: by 2002:a05:690c:f03:b0:71f:ff0c:c96a with SMTP id 00721157ae682-72276406d4bmr240121457b3.24.1757029668599; Thu, 04 Sep 2025 16:47:48 -0700 (PDT) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-5ff8ed34211sm1964085d50.6.2025.09.04.16.47.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Sep 2025 16:47:48 -0700 (PDT) From: Demi Marie Obenour Date: Thu, 04 Sep 2025 17:26:29 -0400 Subject: [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20250904-systemd-v1-7-2a63b790a913@gmail.com> References: <20250904-systemd-v1-0-2a63b790a913@gmail.com> In-Reply-To: <20250904-systemd-v1-0-2a63b790a913@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1757021182; l=2777; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=gY1zmUWxZ5SDw6SPHUXzpaO3nti37KChb7RdLRX0PsI=; b=/IbqFqjk8Ap/qQ0kFLdQBjVFmzhocjHw8zzu3C//h7KXORZ5fSfgYEFBupjyCj2GgiwlDWk/S gX99m/WaE50Cngt3A9C3TESSTj5EiA9xjvaIFjnqDplGnC66BqtZhY1 X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: XTNFRSCUPDNBRNZNBUCD4RUCHFJHRTQN X-Message-ID-Hash: XTNFRSCUPDNBRNZNBUCD4RUCHFJHRTQN X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Enforce that anything under /var or /etc is 0755 for directories and executable files and 0644 for anything else. Enforce that anything else is 0555 for directories and executable files and 0444 for anything else. This avoids depending on factors that may depend on the build environment, such as the user's umask. This requires that /var always exist, so add it to img/app/Makefile. Signed-off-by: Demi Marie Obenour --- host/rootfs/Makefile | 3 ++- img/app/Makefile | 2 +- scripts/make-erofs.sh | 21 +++++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -97,7 +97,8 @@ DIRS = \ ext \ run \ proc \ - sys + sys \ + var FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo diff --git a/img/app/Makefile b/img/app/Makefile index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -57,7 +57,7 @@ VM_FILES = \ etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \ etc/xdg/xdg-desktop-portal/portals.conf -VM_DIRS = dev run proc sys tmp \ +VM_DIRS = dev run proc sys tmp var \ etc/s6-linux-init/run-image/service \ etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/wait diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -95,4 +95,25 @@ while read -r arg1; do cp -RT -- "$arg1" "$root/$arg2" done +# Ensure that the permissions in the image are independent +# of those in the git repository or Nix store, except for +# the executable bit. In particular, the mode of those +# outside the Nix store might depend on the user's umask. +# While the image itself is strictly read-only, it makes +# sense to populate an overlayfs over /etc and /var, and +# this overlayfs should be writable by root and readable +# by all users. The remaining paths should not be writable +# by anyone, but should be world-readable. +find "$root" \ + -path "$root/nix/store" -prune -o \ + -path "$root/etc" -prune -o \ + -path "$root/var" -prune -o \ + -type l -o \ + -type d -a -perm 0555 -o \ + -type f -a -perm 0444 -o \ + -execdir chmod ugo-w,ugo+rX -- '{}' + +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + +chmod 0755 "$root" + +# Make the erofs image. mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" -- 2.51.0