Demi Marie Obenour writes: > Enforce that anything under /var or /etc is 0755 for directories and > executable files and 0644 for anything else. Enforce that anything else > is 0555 for directories and executable files and 0444 for anything else. > This avoids depending on factors that may depend on the build > environment, such as the user's umask. > > This requires that /var always exist, so add it to img/app/Makefile. > > Signed-off-by: Demi Marie Obenour > --- > host/rootfs/Makefile | 3 ++- > img/app/Makefile | 2 +- > scripts/make-erofs.sh | 21 +++++++++++++++++++++ > 3 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -97,7 +97,8 @@ DIRS = \ > ext \ > run \ > proc \ > - sys > + sys \ > + var > > FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo > > diff --git a/img/app/Makefile b/img/app/Makefile > index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644 > --- a/img/app/Makefile > +++ b/img/app/Makefile > @@ -57,7 +57,7 @@ VM_FILES = \ > etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \ > etc/xdg/xdg-desktop-portal/portals.conf > > -VM_DIRS = dev run proc sys tmp \ > +VM_DIRS = dev run proc sys tmp var \ > etc/s6-linux-init/run-image/service \ > etc/s6-linux-init/run-image/user \ > etc/s6-linux-init/run-image/wait > diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh > index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 > --- a/scripts/make-erofs.sh > +++ b/scripts/make-erofs.sh > @@ -95,4 +95,25 @@ while read -r arg1; do > cp -RT -- "$arg1" "$root/$arg2" > done > > +# Ensure that the permissions in the image are independent > +# of those in the git repository or Nix store, except for > +# the executable bit. In particular, the mode of those > +# outside the Nix store might depend on the user's umask. > +# While the image itself is strictly read-only, it makes > +# sense to populate an overlayfs over /etc and /var, and > +# this overlayfs should be writable by root and readable > +# by all users. The remaining paths should not be writable > +# by anyone, but should be world-readable. > +find "$root" \ > + -path "$root/nix/store" -prune -o \ > + -path "$root/etc" -prune -o \ > + -path "$root/var" -prune -o \ > + -type l -o \ > + -type d -a -perm 0555 -o \ > + -type f -a -perm 0444 -o \ > + -execdir chmod ugo-w,ugo+rX -- '{}' + > +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + > +chmod 0755 "$root" > + > +# Make the erofs image. > mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" The idea here is reproducibility, right? Can the body mention that? And can we limit it to just doing r-Xr-Xr-X for now, and then worry about the overlayfs stuff later if we need to? (This also means we don't have to add /var until we need it.) I'd also like to stick to POSIX features for standard utilities where possible, which it should be here. (I know cp -T isn't POSIX. 🤫)