From f1369a1add9552ec2f11cc97ee5e9e09f02b49ff Mon Sep 17 00:00:00 2001
From: Noam Angel <noama@mellanox.com>
Date: Mon, 22 May 2017 05:13:34 +0000
Subject: [PATCH] Set manifest permissions in the image

This is a follow-on to 57ef187632c97eb7c2f27207c19f11336b28d97c.

There's two things going on here; DIB_MANIFEST_IMAGE_DIR is *outside*
the chroot on the build host.  We copy the files here for posterity, I
guess.  MANIFEST_IMAGE_PATH is *inside* the chroot and are the files
we want to ensure are locked to root.

The prior change modified the permissions on DIB_MANIFEST_IMAGE_DIR.
So the first time you build, it works -- then the second time,
assuming you're using the same output filename, it hits the root-owned
manifest directories and causes a build failure.

I have built with this and checked that the manifest files in the
image are locked to root:

 $ virt-ls -a ./test.qcow2 -l /etc/dib-manifests
 total 32
 drwxr-xr-x  2 0 0  4096 May 24 03:39 .
 drwxr-xr-x 53 0 0  4096 May 24 03:39 ..
 -rw-------  1 0 0 15236 May 24 03:39 dib-manifest-dpkg-test
 -rw-------  1 0 0    35 May 24 03:39 dib_arguments
 -rw-------  1 0 0   137 May 24 03:39 dib_environment

Related-Bug: #1671842
Change-Id: I08319d0b5fcc461d40fe0be8427dcf0e37ad21e6
---
 .../elements/manifests/cleanup.d/01-copy-manifests-dir   | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/diskimage_builder/elements/manifests/cleanup.d/01-copy-manifests-dir b/diskimage_builder/elements/manifests/cleanup.d/01-copy-manifests-dir
index 15aec9738..3ac192568 100755
--- a/diskimage_builder/elements/manifests/cleanup.d/01-copy-manifests-dir
+++ b/diskimage_builder/elements/manifests/cleanup.d/01-copy-manifests-dir
@@ -32,9 +32,12 @@ MANIFEST_IMAGE_PATH=${TMP_MOUNT_PATH}/${DIB_MANIFEST_IMAGE_DIR}
 echo "$DIB_ENV" | sudo dd of=${MANIFEST_IMAGE_PATH}/dib_environment # dib-lint: safe_sudo
 echo "$DIB_ARGS" | sudo dd of=${MANIFEST_IMAGE_PATH}/dib_arguments  # dib-lint: safe_sudo
 
+# Save the manifests locally to the save dir
 mkdir -p ${DIB_MANIFEST_SAVE_DIR}
 cp --no-preserve=ownership -rv ${MANIFEST_IMAGE_PATH} ${DIB_MANIFEST_SAVE_DIR}
 
-# may contain passwords, etc, so limit permissions
-find ${DIB_MANIFEST_SAVE_DIR} -type f | xargs sudo chown root:root # dib-lint: safe_sudo
-find ${DIB_MANIFEST_SAVE_DIR} -type f | xargs sudo chmod 600 # dib-lint: safe_sudo
+# Lock down permissions on the manifest files inside the image to
+# root.  We don't want regular users being able to see what might
+# contain a password, etc.
+find ${MANIFEST_IMAGE_PATH} -type f | xargs sudo chown root:root # dib-lint: safe_sudo
+find ${MANIFEST_IMAGE_PATH} -type f | xargs sudo chmod 600 # dib-lint: safe_sudo