Store cache in canonical format

This stores the cache in the canonical format (i.e. uid/gid 0 and no weird permissions). This has two advantages, first of all it matches what flatpak build-export will produce, so diff:ing with the final result will make things easier to read, shared repos will be smaller, etc. Secondly, it will allow us to switch to bare-user-only mode which means we don't need/use xattrs for the build filesystem. Note: We bump the cache format as the cache will change affecting e.g. ostree diff between different cachepoints, so this will rebuild everything once. Closes: #80 Approved by: alexlarsson
2017-12-11 11:47:32 +01:00 · 2017-12-11 11:47:32 +01:00 · 6a8e2af98f
parent c421beb086
commit 6a8e2af98f
2 changed files with 38 additions and 2 deletions
--- a/src/builder-cache.c
+++ b/src/builder-cache.c
@ -523,6 +523,42 @@ mtree_prune_old_files (OstreeMutableTree *mtree,
  return TRUE;
 }

+static OstreeRepoCommitFilterResult
+commit_filter (OstreeRepo *repo,
+               const char *path,
+               GFileInfo  *file_info,
+               gpointer    commit_data)
+{
+  guint mode;
+
+  /* No user info */
+  g_file_info_set_attribute_uint32 (file_info, "unix::uid", 0);
+  g_file_info_set_attribute_uint32 (file_info, "unix::gid", 0);
+
+  /* In flatpak, there is no real reason for files to have different
+   * permissions based on the group or user really, everything is
+   * always used readonly for everyone. Having things be writeable
+   * for anyone but the user just causes risks for the system-installed
+   * case. So, we canonicalize the mode to writable only by the user,
+   * readable to all, and executable for all for directories and
+   * files that the user can execute.
+  */
+  mode = g_file_info_get_attribute_uint32 (file_info, "unix::mode");
+  if (g_file_info_get_file_type (file_info) == G_FILE_TYPE_DIRECTORY)
+    mode = 0755 | S_IFDIR;
+  else if (g_file_info_get_file_type (file_info) == G_FILE_TYPE_REGULAR)
+    {
+      /* If use can execute, make executable by all */
+      if (mode & S_IXUSR)
+        mode = 0755 | S_IFREG;
+      else /* otherwise executable by none */
+        mode = 0644 | S_IFREG;
+    }
+  g_file_info_set_attribute_uint32 (file_info, "unix::mode", mode);
+
+  return OSTREE_REPO_COMMIT_FILTER_ALLOW;
+}
+
 gboolean
 builder_cache_commit (BuilderCache *self,
                      const char   *body,
@ -558,7 +594,7 @@ builder_cache_commit (BuilderCache *self,
  mtree = ostree_mutable_tree_new ();

  modifier = ostree_repo_commit_modifier_new (OSTREE_REPO_COMMIT_MODIFIER_FLAGS_SKIP_XATTRS,
-                                              NULL, NULL, NULL);
+                                              (OstreeRepoCommitFilter) commit_filter, NULL, NULL);
  if (self->devino_to_csum_cache)
    ostree_repo_commit_modifier_set_devino_cache (modifier, self->devino_to_csum_cache);

--- a/src/builder-manifest.h
+++ b/src/builder-manifest.h
@ -38,7 +38,7 @@ typedef struct BuilderManifest BuilderManifest;
 #define BUILDER_IS_MANIFEST(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), BUILDER_TYPE_MANIFEST))

 /* Bump this if format changes in incompatible ways to force rebuild */
-#define BUILDER_MANIFEST_CHECKSUM_VERSION "4"
+#define BUILDER_MANIFEST_CHECKSUM_VERSION "5"
 #define BUILDER_MANIFEST_CHECKSUM_CLEANUP_VERSION "1"
 #define BUILDER_MANIFEST_CHECKSUM_FINISH_VERSION "2"
 #define BUILDER_MANIFEST_CHECKSUM_BUNDLE_SOURCES_VERSION "1"