From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 5022326EE5;
	Wed, 22 Oct 2025 21:05:32 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 5CA6826EC9; Wed, 22 Oct 2025 21:05:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com
 [IPv6:2607:f8b0:4864:20::1132])
	by atuin.qyliss.net (Postfix) with ESMTPS id 0126126EC8
	for <devel@spectrum-os.org>; Wed, 22 Oct 2025 21:05:27 +0000 (UTC)
Received: by mail-yw1-x1132.google.com with SMTP id
 00721157ae682-784826b75a4so640367b3.0
        for <devel@spectrum-os.org>; Wed, 22 Oct 2025 14:05:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1761167121; x=1761771921;
 darn=spectrum-os.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=jd4GDR0C4/ulpebh4Ddk3SdNnbkXchVDLuFSVVqb8fY=;
        b=JRRo38g7K1ikHDe6FY8gJgqHPwoLoDpYUtyd7mykRCnsFw9O+TSmrPPv44ynRbcwYx
         7Aj9WVbslB7J/cvINdkRHe9r0eKnYdTcbqhkJfHFbut3wFaP+7USKW00jNdosYQ3UTTg
         55JTZVkb5PMwG1klzyqe6XvfTdftLSyKXT9LL85le5+2CdVP8JzWKGH+Z/7KDCj4tL0M
         qu3piIhuVlgs5oLIGuF3EG7Wv9aAGPxmPqTSoolbQEbGzFP7eqQfSlwgsuv4lZBGO9kQ
         CHgyWRoIakzyyzKTZkZaKHDE4C3K2yhxiywYwcCuJVkHHWAPgx9GLTPvzuu1vxvJoMx1
         fr+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761167121; x=1761771921;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jd4GDR0C4/ulpebh4Ddk3SdNnbkXchVDLuFSVVqb8fY=;
        b=ZB6byVAhs2+tdldxNpqpBuVQjN6ET4hU7Vnj3MYmhT0xXMt5o/LZJldm4d2yzzpHuB
         UEa3tMti5waJShtg0fnZM3iAOsRF5cJqJ+wtp7/UT1kvc8rvZmkEkry5ZkYS3xYMXf5J
         65gg0l6La6hyc6/P4vACuP+75Eaqwx6tK8i6CK1tIlZAk011da+SvJifzz7ZfllqbGdi
         9sayKhDaTAxNv98b45USAGFQ32mIK6wdEdZOluO34DGBUmpG2NwLsjhSPpTbXtE1W6kE
         2op1Fi1Riylt6yOWBpVwm9T9nx5s4E/ysdS4vgeL1ySqq+Eos5x5Js1af9IO6tlCkuJX
         JCqQ==
X-Gm-Message-State: AOJu0Yx/sHEigX1rPM7wgvm4nUt99OmwF0J1O4U0oTYAxO6D0j4PNCTg
	FmqTA4IkpQB6lx2uXlmZ2xwdFij9flEZX/D38rnayA207W+VwWxlSYMzQLWz6g==
X-Gm-Gg: ASbGnctf2fK2GWtW9rLOXqZQsUkR/QAIA6+5S18clmRKK+GW3V5YT/kH25FOshFPuJr
	eTZKet4uKuEK46meKFZJQPoDgZELRkzM6j3H5hRI91Zxg/+VtIW2hZ0dnJXjD+Ya/n221DWcINs
	VutAFHOl5lLSHcEsnsBMFqailgqnlpNm7xGtKY6aw8ACxUxI/zoZlchSAK9RUdat/WaJX12uuaj
	XSst+6ivXfs5kT1KWtsyXXqb+lALnkzuKxkmS0in7sRLyRZ2ysZxR8OQKzYoH6o2sFuy5HgCDxN
	R971ABvt37UDm34tJTUH+nRLFVkQLE2sAixUAeHjs8iGGD838mha+r4V8WMprUBqLu0hlM/cZDP
	ISS10OBjYP3OY2nYlaGqhMCRXSCtOnTmb8siV/nE0LvoODWm6O4CqjhH1nbKUmH0YXaYHckBZ+6
	WXcbZO8q8UecmgP7AHEPZ4xgsjtnrk4a715DfFxKPJDIqHMqnoBxOxFJYsIKZ5rLabLBA5ByTuY
	Vs2+6Oi+2TJKE+E6mVpzt+ak7IQFs3Tj7Y=
X-Google-Smtp-Source: 
 AGHT+IG1ldmNbLWCn92jo7TkqtCZCsb0DrVETN4+a5EndLf5gkvgXoDEvFBHnz5CVqezEM6fvw2ClA==
X-Received: by 2002:a05:690c:f0f:b0:784:a1da:9d68 with SMTP id
 00721157ae682-784a1daa695mr103320737b3.62.1761167121380;
        Wed, 22 Oct 2025 14:05:21 -0700 (PDT)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-785cd6ce08csm847377b3.37.2025.10.22.14.05.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 Oct 2025 14:05:20 -0700 (PDT)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 22 Oct 2025 17:04:36 -0400
Subject: [PATCH] scripts/make-erofs.sh: Standardize file modes in images
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251022-fix-permissions-v1-1-ba1f113fae6f@gmail.com>
X-B4-Tracking: v=1; b=H4sIAONG+WgC/x2MQQqAIBAAvxJ7TlBTqb4SHSK32kMmLkQg/j3rO
 DAzGRgTIcPYZEh4E9MVKqi2gfVYwo6CfGXQUlsltRIbPSJiOok/lYWxZvDS2a5zPdQqJqzKf5z
 mUl6nfAjKYQAAAA==
X-Change-ID: 20251021-fix-permissions-4549d0653368
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1761167075; l=2979;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=Setlp+YNTR0GZePsc0WFV6G2BmXRq9XyzkZ941S7igo=;
 b=GpfIn0gg3irW9PaH0DRxk7exALPMBChsvalc1yi0z224v9/VGVk9Aixm4zOd4e4pw4PVzHrbk
 786ZfOZY445Dh5bvjc0A+zB+yP64UJC+SguhEdqdxlH1zgDtLAXF2tQ
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: DQWIQBXGSPOO36ITK64RE6NNZ5LVIZKA
X-Message-ID-Hash: DQWIQBXGSPOO36ITK64RE6NNZ5LVIZKA
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Alyssa Ross <hi@alyssa.is>, Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/DQWIQBXGSPOO36ITK64RE6NNZ5LVIZKA/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Enforce that anything under /var or /etc is 0755 for directories and
executable files and 0644 for anything else.  Enforce that anything else
is 0555 for directories and executable files and 0444 for anything else.
This avoids depending on factors that may depend on the build
environment, such as the user's umask.

This requires that /var always exist, so add it to img/app/Makefile.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/Makefile  |  3 ++-
 img/app/Makefile      |  2 +-
 scripts/make-erofs.sh | 21 +++++++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index aa45ca1d5c18d0dfb78d19267f263cc4222e8e84..ba1beddabb46afa6b20e66177107fbe6b6f42bd2 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -40,7 +40,8 @@ DIRS = \
 	ext \
 	proc \
 	run \
-	sys
+	sys \
+	var
 
 FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
 
diff --git a/img/app/Makefile b/img/app/Makefile
index 981889ebe55d9ba03228977f3dc0ea3f26d5c4fb..2540075fbb2cdcbcde29853cb0ffe676de0b9063 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie
 	    build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root
 	mv $@.tmp $@
 
-DIRS = dev run proc sys tmp \
+DIRS = dev run proc sys tmp var \
 	etc/s6-linux-init/run-image/service \
 	etc/s6-linux-init/run-image/user \
 	etc/s6-linux-init/run-image/wait
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index ad04844387c880047a79f2f05e1e985d8bd4229c..5e283a380dbdae3dbfb83d43915e5015a2ae6f04 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -68,4 +68,25 @@ while read -r arg1; do
 	cp -RT -- "$arg1" "$root/$arg2"
 done
 
+# Ensure that the permissions in the image are independent
+# of those in the git repository or Nix store, except for
+# the executable bit.  In particular, the mode of those
+# outside the Nix store might depend on the user's umask.
+# While the image itself is strictly read-only, it makes
+# sense to populate an overlayfs over /etc and /var, and
+# this overlayfs should be writable by root and readable
+# by all users.  The remaining paths should not be writable
+# by anyone, but should be world-readable.
+find "$root" \
+  -path "$root/nix/store" -prune -o \
+  -path "$root/etc" -prune -o \
+  -path "$root/var" -prune -o \
+  -type l -o \
+  -type d -a -perm 0555 -o \
+  -type f -a -perm 0444 -o \
+  -execdir chmod ugo-w,ugo+rX -- '{}' +
+find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
+chmod 0755 "$root"
+
+# Make the erofs image.
 mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"

---
base-commit: c5d5786d3dc938af0b279c542d1e43bce381b4b9
change-id: 20251021-fix-permissions-4549d0653368

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)