On 9/19/25 13:50, Alyssa Ross wrote: > Demi Marie Obenour writes: > >> Enforce that anything under /var or /etc is 0755 for directories and >> executable files and 0644 for anything else. Enforce that anything else >> is 0555 for directories and executable files and 0444 for anything else. >> This avoids depending on factors that may depend on the build >> environment, such as the user's umask. >> >> This requires that /var always exist, so add it to img/app/Makefile. >> >> Signed-off-by: Demi Marie Obenour >> --- >> host/rootfs/Makefile | 3 ++- >> img/app/Makefile | 2 +- >> scripts/make-erofs.sh | 21 +++++++++++++++++++++ >> 3 files changed, 24 insertions(+), 2 deletions(-) >> >> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile >> index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644 >> --- a/host/rootfs/Makefile >> +++ b/host/rootfs/Makefile >> @@ -97,7 +97,8 @@ DIRS = \ >> ext \ >> run \ >> proc \ >> - sys >> + sys \ >> + var >> >> FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo >> >> diff --git a/img/app/Makefile b/img/app/Makefile >> index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644 >> --- a/img/app/Makefile >> +++ b/img/app/Makefile >> @@ -57,7 +57,7 @@ VM_FILES = \ >> etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \ >> etc/xdg/xdg-desktop-portal/portals.conf >> >> -VM_DIRS = dev run proc sys tmp \ >> +VM_DIRS = dev run proc sys tmp var \ >> etc/s6-linux-init/run-image/service \ >> etc/s6-linux-init/run-image/user \ >> etc/s6-linux-init/run-image/wait >> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh >> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 >> --- a/scripts/make-erofs.sh >> +++ b/scripts/make-erofs.sh >> @@ -95,4 +95,25 @@ while read -r arg1; do >> cp -RT -- "$arg1" "$root/$arg2" >> done >> >> +# Ensure that the permissions in the image are independent >> +# of those in the git repository or Nix store, except for >> +# the executable bit. In particular, the mode of those >> +# outside the Nix store might depend on the user's umask. >> +# While the image itself is strictly read-only, it makes >> +# sense to populate an overlayfs over /etc and /var, and >> +# this overlayfs should be writable by root and readable >> +# by all users. The remaining paths should not be writable >> +# by anyone, but should be world-readable. >> +find "$root" \ >> + -path "$root/nix/store" -prune -o \ >> + -path "$root/etc" -prune -o \ >> + -path "$root/var" -prune -o \ >> + -type l -o \ >> + -type d -a -perm 0555 -o \ >> + -type f -a -perm 0444 -o \ >> + -execdir chmod ugo-w,ugo+rX -- '{}' + >> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + >> +chmod 0755 "$root" >> + >> +# Make the erofs image. >> mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" > > The idea here is reproducibility, right? Can the body mention that? Yes, it is. I will fix this in v2. > And can we limit it to just doing r-Xr-Xr-X for now, and then worry > about the overlayfs stuff later if we need to? (This also means we > don't have to add /var until we need it.) systemd-udevd needs /var to be mounted read-write. Without that, its behavior (and that of all other systemd tools) is undefined past a certain point in early boot. > I'd also like to stick to POSIX features for standard utilities where > possible, which it should be here. (I know cp -T isn't POSIX. 🤫) Per 'man 1 find', the find command I provided is POSIX except for -execdir. However, -execdir is also documented as being provided by BSD OSs. The documentation also warns against -exec, though the race that -execdir blocks is irrelevant here. -- Sincerely, Demi Marie Obenour (she/her/hers)