build: Fix /usr/lib permissions clobbered by COPY --from=packaging

The COPY --from=packaging /usr-extras/ /usr/ step overwrites directory
metadata from the packaging image layer.  The directories under
contrib/packaging/usr-extras/ have 0770 permissions (group/world-
inaccessible) when built with a restrictive umask, which gets baked
into the packaging stage.  When COPY merges /usr-extras/ into /usr/,
the destination directory metadata is updated from the source, so
/usr/lib ends up 0770 (drwxrwx---) instead of the correct 0755.

This causes subtle but fatal failures: non-root system daemons (polkit,
dbus-broker, etc.) can't traverse /usr/lib to exec their binaries, so
the booted system never becomes SSH-reachable.  This is why all centos-10
grub+bls integration tests have been failing in the merge queue for the
last three days.

Fix by replacing the COPY with a RUN --mount=type=bind,from=packaging
that uses install(1) with explicit -m flags: -D creates the destination
directory and -m 0644 sets the file mode, guaranteeing correct
permissions regardless of the builder's umask.

Assisted-by: OpenCode (Claude Sonnet 4.6)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Dockerfile

@@ -261,8 +261,9 @@ RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=packages,src=/,target=/run/packages \
     /run/packaging/install-rpm-and-setup /run/packages
-# Inject some other configuration
-COPY --from=packaging /usr-extras/ /usr/
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=packaging,src=/usr-extras,target=/run/usr-extras \
+    install -D -m 0644 -t /usr/lib/bootc/kargs.d /run/usr-extras/lib/bootc/kargs.d/*.toml
 # Clean up package manager caches
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \