Demi Marie Obenour writes: > On 9/19/25 13:50, Alyssa Ross wrote: >> Demi Marie Obenour writes: >> >>> Enforce that anything under /var or /etc is 0755 for directories and >>> executable files and 0644 for anything else. Enforce that anything else >>> is 0555 for directories and executable files and 0444 for anything else. >>> This avoids depending on factors that may depend on the build >>> environment, such as the user's umask. >>> >>> This requires that /var always exist, so add it to img/app/Makefile. >>> >>> Signed-off-by: Demi Marie Obenour >>> --- >>> host/rootfs/Makefile | 3 ++- >>> img/app/Makefile | 2 +- >>> scripts/make-erofs.sh | 21 +++++++++++++++++++++ >>> 3 files changed, 24 insertions(+), 2 deletions(-) >>> >>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile >>> index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644 >>> --- a/host/rootfs/Makefile >>> +++ b/host/rootfs/Makefile >>> @@ -97,7 +97,8 @@ DIRS = \ >>> ext \ >>> run \ >>> proc \ >>> - sys >>> + sys \ >>> + var >>> >>> FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo >>> >>> diff --git a/img/app/Makefile b/img/app/Makefile >>> index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644 >>> --- a/img/app/Makefile >>> +++ b/img/app/Makefile >>> @@ -57,7 +57,7 @@ VM_FILES = \ >>> etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \ >>> etc/xdg/xdg-desktop-portal/portals.conf >>> >>> -VM_DIRS = dev run proc sys tmp \ >>> +VM_DIRS = dev run proc sys tmp var \ >>> etc/s6-linux-init/run-image/service \ >>> etc/s6-linux-init/run-image/user \ >>> etc/s6-linux-init/run-image/wait >>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh >>> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 >>> --- a/scripts/make-erofs.sh >>> +++ b/scripts/make-erofs.sh >>> @@ -95,4 +95,25 @@ while read -r arg1; do >>> cp -RT -- "$arg1" "$root/$arg2" >>> done >>> >>> +# Ensure that the permissions in the image are independent >>> +# of those in the git repository or Nix store, except for >>> +# the executable bit. In particular, the mode of those >>> +# outside the Nix store might depend on the user's umask. >>> +# While the image itself is strictly read-only, it makes >>> +# sense to populate an overlayfs over /etc and /var, and >>> +# this overlayfs should be writable by root and readable >>> +# by all users. The remaining paths should not be writable >>> +# by anyone, but should be world-readable. >>> +find "$root" \ >>> + -path "$root/nix/store" -prune -o \ >>> + -path "$root/etc" -prune -o \ >>> + -path "$root/var" -prune -o \ >>> + -type l -o \ >>> + -type d -a -perm 0555 -o \ >>> + -type f -a -perm 0444 -o \ >>> + -execdir chmod ugo-w,ugo+rX -- '{}' + >>> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + >>> +chmod 0755 "$root" >>> + >>> +# Make the erofs image. >>> mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" >> >> The idea here is reproducibility, right? Can the body mention that? > > Yes, it is. I will fix this in v2. > >> And can we limit it to just doing r-Xr-Xr-X for now, and then worry >> about the overlayfs stuff later if we need to? (This also means we >> don't have to add /var until we need it.) > > systemd-udevd needs /var to be mounted read-write. Without that, > its behavior (and that of all other systemd tools) is undefined > past a certain point in early boot. It does? That's surprising to me, since lots of initrds will run systemd-udevd and I suspect not have /var (such as the NixOS one, I think). Looking at systemd's build system, I only see three uses of localstatedir: polkitpkladir, systemdstatedir, and randomseeddir. As far as I can tell, none of these are used by systemd-udevd. >> I'd also like to stick to POSIX features for standard utilities where >> possible, which it should be here. (I know cp -T isn't POSIX. 🤫) > > Per 'man 1 find', the find command I provided is POSIX except for > -execdir. However, -execdir is also documented as being provided > by BSD OSs. The documentation also warns against -exec, though > the race that -execdir blocks is irrelevant here. Yeah, exactly. Might as well use the POSIX one when it suffices.