Explicitly set mode of workspace to 700

If the sticky bit is set on the parent directory of the workspace,
it's inherited by the workspace directory and then inherited by the
image root directory and infects the entire image. Let's make sure
it is not set on the workspace directory to avoid leaking host specific
details into the image.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index bd9017600f52857b5bbdc42a4c87294a1c2cc8f3..faefef5eb3dbd9de2baaf8250bb2c7148e40237c 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3346,6 +3346,7 @@ def normalize_mtime(root: Path, mtime: Optional[int], directory: Optional[Path]
 def setup_workspace(args: Args, config: Config) -> Iterator[Path]:
     with contextlib.ExitStack() as stack:
         workspace = Path(tempfile.mkdtemp(dir=config.workspace_dir_or_default(), prefix="mkosi-workspace"))
+        os.chmod(workspace, 0o700)
         stack.callback(lambda: rmtree(workspace, tools=config.tools(), sandbox=config.sandbox))
         (workspace / "tmp").mkdir(mode=0o1777)