Merge pull request #40 from stacklok/rootfs-root-xattr

JAORMX · web-flow · commit 3c37a1bd8cc1 · 2026-03-11T11:43:22.000+02:00
Fix rootfs root directory permissions and xattr
diff --git a/image/pull.go b/image/pull.go
@@ -130,6 +130,15 @@ func PullWithFetcher(ctx context.Context, imageRef string, cache *Cache, fetcher
 		}
 	}
 
+	// Ensure the rootfs root directory itself is world-accessible and has
+	// the override_stat xattr. The root dir is created by os.MkdirTemp
+	// (mode 0700) and no tar entry covers it, so without this fix the
+	// guest's uid 1000 user cannot traverse /.
+	if err := os.Chmod(tmpDir, 0o755); err != nil {
+		slog.Warn("chmod rootfs root dir failed", "err", err)
+	}
+	xattr.SetOverrideStat(tmpDir, 0, 0, os.ModeDir|0o755)
+
 	// Move into cache if available. The extraction is fresh and this is
 	// the only reference, so FromCache stays false — callers may safely
 	// modify the rootfs in place without a COW clone.
diff --git a/rootfs/clone.go b/rootfs/clone.go
@@ -115,6 +115,10 @@ func CloneDir(srcDir, dstDir string) error {
 		_ = os.Chmod(dirsToRestore[i].path, dirsToRestore[i].perm)
 	}
 
+	// Copy the override_stat xattr on the root directory itself.
+	// The walk skips "." so the root dir's xattr is not covered above.
+	xattr.CopyOverrideStat(srcDir, dstDir)
+
 	return nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -115,6 +115,10 @@ func CloneDir(srcDir, dstDir string) error {`
`115`	`115`	`_ = os.Chmod(dirsToRestore[i].path, dirsToRestore[i].perm)`
`116`	`116`	`}`
`117`	`117`
	`118`	`+ // Copy the override_stat xattr on the root directory itself.`
	`119`	`+ // The walk skips "." so the root dir's xattr is not covered above.`
	`120`	`+ xattr.CopyOverrideStat(srcDir, dstDir)`
	`121`	`+`
`118`	`122`	`return nil`
`119`	`123`	`}`
`120`	`124`