From 648c6e1d867e09f71bfb1303fa3e5af5cb6ebb54 Mon Sep 17 00:00:00 2001
From: Cesar Talledo <cesar.talledo@docker.com>
Date: Mon, 9 Dec 2024 17:21:21 -0800
Subject: [PATCH] Relax /var/lib/sysbox access permissions for the shiftfs
 checker.

The shiftfs checker needs to create dirs and files under /var/lib/sysbox. Since
the checker does this from within a user-namespace, it needs read-write-execute
"other" permissions. Adjust sysbox-mgr to temporarily provide such access to
the shiftfs checker. Once the check completes, the permissions of
/var/lib/sysbox are set to the usual (0710).

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
---
 utils.go | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/utils.go b/utils.go
index 50de28c..1364756 100644
--- a/utils.go
+++ b/utils.go
@@ -923,7 +923,9 @@ func checkIDMapMountSupport(ctx *cli.Context) (bool, bool, error) {
 
 	// The sysbox lib dir may have restrictive permissions; loosen those up
 	// temporarily while we perform the ID-map check since it runs inside a
-	// Linux user-ns.
+	// Linux user-ns. Note that unlike the shiftfs checker, the ID-map checker
+	// does not create files from within the user-namespace so it does not need
+	// write-other permissions.
 	fi, err := os.Stat(sysboxLibDir)
 	if err != nil {
 		return false, false, err
@@ -957,20 +959,23 @@ func checkIDMapMountSupport(ctx *cli.Context) (bool, bool, error) {
 
 func checkShiftfsSupport(ctx *cli.Context) (bool, bool, error) {
 
-	// The sysbox lib dir may have restrictive permissions; loosen those up
-	// temporarily while we perform the shiftfs check since it runs inside a
-	// Linux user-ns.
+	// The sysbox lib dir may have restrictive permissions; relax those up
+	// temporarily while we perform the shiftfs check because it runs inside a
+	// Linux user-ns. Since the shiftfs checker creates files from within the
+	// user-namespace, we temporarily allow "rwx-other" permissions on the sysbox
+	// lib dir.
 	fi, err := os.Stat(sysboxLibDir)
 	if err != nil {
 		return false, false, err
 	}
 	origPerm := fi.Mode()
 
-	if err := os.Chmod(sysboxLibDir, 0755); err != nil {
-		return false, false, fmt.Errorf("failed to chmod %s to 0755: %s", sysboxLibDir, err)
+	if err := os.Chmod(sysboxLibDir, 0777); err != nil {
+		return false, false, fmt.Errorf("failed to chmod %s to 0777: %s", sysboxLibDir, err)
 	}
 
 	defer func() {
+		// Revert back to the original sysbox lib dir permissions once the shiftfs check is done.
 		os.Chmod(sysboxLibDir, origPerm)
 	}()