fix!: oci perms

existing users of config.copyToRoot quite likely need to hove the contents of this key to setup = []; - config.copyToRoot may prime the nix2container permission cache with a parent folder (e.g. /bin) and conflicting permissions'

Author: blaggacao

src/lib/ops/mkOCI.nix

@@ -32,6 +32,7 @@ in
       then l.head meta.tags
       else null,
     setup ? [],
+    extraSetupLinks ? "",
     layers ? [],
     runtimeInputs ? [],
     uid ? "65534",
@@ -45,8 +46,20 @@ in
     setupLinks = cell.ops.mkSetup "links" [] ''
       mkdir -p $out/bin
       ln -s ${l.getExe entrypoint} $out/bin/entrypoint
+      ${extraSetupLinks}
     '';
 
+    root = nixpkgs.buildEnv {
+      name = "root";
+      paths =
+        setup
+        ++ [
+          # trick `buildEnv` and prevent the $out`/bin` to be a symlink
+          (nixpkgs.runCommand "setupDirs" {} "mkdir -p $out/bin")
+          setupLinks
+        ];
+    };
+
     image =
       l.throwIf (args ? tag && meta ? tags)
       "mkOCI/mkStandardOCI/mkDevOCI: use of `tag` and `meta.tags` arguments are not supported together. Remove the former."
@@ -73,23 +86,7 @@ in
             ++ layers;
 
           maxLayers = 25;
-          copyToRoot =
-            [
-              (nixpkgs.buildEnv {
-                name = "root";
-                paths =
-                  setup
-                  ++ [
-                    # trick `buildEnv` and prevent the $out`/bin` to be a symlink
-                    (nixpkgs.runCommand "setupDirs" {}
-                      ''
-                        mkdir -p $out/bin
-                      '')
-                    setupLinks
-                  ];
-              })
-            ]
-            ++ options.copyToRoot or [];
+          copyToRoot = [root] ++ options.copyToRoot or [];
 
           config = l.recursiveUpdate config {
             User = uid;
@@ -99,7 +96,14 @@ in
           };
 
           # Setup tasks can include permissions via the passthru.perms attribute
-          perms = l.flatten ((l.map (s: l.optionalAttrs (s ? passthru && s.passthru ? perms) s.passthru.perms)) setup) ++ perms;
+          perms =
+            l.flatten ((l.map (
+                s:
+                  l.optionals (s ? passthru && s.passthru ? perms)
+                  (l.map (p: p // {path = root;}) s.passthru.perms)
+              ))
+              setup)
+            ++ perms;
         }
       );
   in let

src/lib/ops/mkSetup.nix

@@ -15,7 +15,6 @@ in
   */
   name: perms: contents: let
     setup = nixpkgs.runCommand "oci-setup-${name}" {} contents;
-    perms' = l.map (p: p // {path = setup;}) perms;
   in
     setup
-    // l.optionalAttrs (perms != []) {passthru.perms = perms';}
+    // l.optionalAttrs (perms != []) {passthru = {inherit perms;};}

src/lib/ops/mkStandardOCI.nix

@@ -73,19 +73,12 @@ in
       else operable;
 
     inherit (nixpkgs.dockerTools) caCertificates;
-    setupLinks =
-      cell.ops.mkSetup "links" [
-        {
-          regex = "/bin";
-          mode = "0555";
-        }
-      ] ''
-        mkdir -p $out/bin
-        ${runtimeEntryLink}
-        ${debugEntryLink}
-        ${livenessLink}
-        ${readinessLink}
-      '';
+    extraSetupLinks = ''
+      ${runtimeEntryLink}
+      ${debugEntryLink}
+      ${livenessLink}
+      ${readinessLink}
+    '';
 
     users = cell.ops.mkUser {
       inherit uid gid;
@@ -128,8 +121,9 @@ in
                 ++ (l.optionals hasReadinessProbe [(nix2container.buildLayer {deps = [readinessProbe];})]);
             })
           ];
-          setup = prepend [setupLinks users nss];
-          options.copyToRoot = append [tmp caCertificates];
+          setup = prepend [users nss caCertificates];
+          inherit extraSetupLinks;
+          options.copyToRoot = append [tmp];
           perms = prepend [
             {
               path = tmp;