mkosi: set file permissions in copy of source tree (#8370)

Meson keeps permissions around during the build, so details of how umask
was set when cloning the original git tree will leak all the way to the
installed files in the mkosi image.

So reset the permissions of the files in the copy of the tree before
starting the build.

Also set the umask explicitly.

Tested by creating a mkosi image and booting it on a tree that was
cloned with a umask of 027, confirmed that the *.target files were not
created as world-unreadable anymore.

diff --git a/mkosi.build b/mkosi.build
index 7cdcd6c74186dbd88e3cb53f731ae10f8dd9f95f..131eb9fd906093fcec701944884b499364bde12d 100755 (executable)
--- a/mkosi.build
+++ b/mkosi.build
@@ -21,6 +21,14 @@ set -ex
 # This is a build script for OS image generation using mkosi (https://github.com/systemd/mkosi).
 # Simply invoke "mkosi" in the project directory to build an OS image.
 
+# Reset the permissions of the tree. Since Meson keeps the permissions
+# all the way to the installed files, reset them to one of 0644 or 0755
+# so the files keep those permissions, otherwise details of what umask
+# was set at the time the git tree was cloned will leak all the way
+# through. Also set umask explicitly during the build.
+chmod -R u+w,go-w,a+rX .
+umask 022
+
 # If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
 # as out-of-tree build dir. Otherwise, let's make up our own builddir.
 [ -z "$BUILDDIR" ] && BUILDDIR=build