[PATCH] scripts/make-erofs.sh: Standardize file modes in images

[Demi Marie Obenour <demiobenour@gmail.com>]

Enforce that anything under /var or /etc is 0755 for directories and
executable files and 0644 for anything else.  Enforce that anything else
is 0555 for directories and executable files and 0444 for anything else.
This avoids depending on factors that may depend on the build
environment, such as the user's umask.

This requires that /var always exist, so add it to img/app/Makefile.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/Makefile  |  3 ++-
 img/app/Makefile      |  2 +-
 scripts/make-erofs.sh | 21 +++++++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index aa45ca1d5c18d0dfb78d19267f263cc4222e8e84..ba1beddabb46afa6b20e66177107fbe6b6f42bd2 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -40,7 +40,8 @@ DIRS = \
 	ext \
 	proc \
 	run \
-	sys
+	sys \
+	var
 
 FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
 
diff --git a/img/app/Makefile b/img/app/Makefile
index 981889ebe55d9ba03228977f3dc0ea3f26d5c4fb..2540075fbb2cdcbcde29853cb0ffe676de0b9063 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie
 	    build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root
 	mv $@.tmp $@
 
-DIRS = dev run proc sys tmp \
+DIRS = dev run proc sys tmp var \
 	etc/s6-linux-init/run-image/service \
 	etc/s6-linux-init/run-image/user \
 	etc/s6-linux-init/run-image/wait
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index ad04844387c880047a79f2f05e1e985d8bd4229c..5e283a380dbdae3dbfb83d43915e5015a2ae6f04 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -68,4 +68,25 @@ while read -r arg1; do
 	cp -RT -- "$arg1" "$root/$arg2"
 done
 
+# Ensure that the permissions in the image are independent
+# of those in the git repository or Nix store, except for
+# the executable bit.  In particular, the mode of those
+# outside the Nix store might depend on the user's umask.
+# While the image itself is strictly read-only, it makes
+# sense to populate an overlayfs over /etc and /var, and
+# this overlayfs should be writable by root and readable
+# by all users.  The remaining paths should not be writable
+# by anyone, but should be world-readable.
+find "$root" \
+  -path "$root/nix/store" -prune -o \
+  -path "$root/etc" -prune -o \
+  -path "$root/var" -prune -o \
+  -type l -o \
+  -type d -a -perm 0555 -o \
+  -type f -a -perm 0444 -o \
+  -execdir chmod ugo-w,ugo+rX -- '{}' +
+find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
+chmod 0755 "$root"
+
+# Make the erofs image.
 mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"

---
base-commit: c5d5786d3dc938af0b279c542d1e43bce381b4b9
change-id: 20251021-fix-permissions-4549d0653368

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)