[antlir2] Complete fix for file permissions in OCI layer generation

Liubov Dmitrieva · meta-codesync[bot] · commit 1db78ea49022 · 2025-12-10T06:11:40.000-08:00
Summary:
D88790669 fixed file permissions for metadata-only changes (Contents::Unset
branch) but missed files with content changes (Contents::File branch). When
D88743755 switched from append_file() to append_data(), both code paths lost
automatic permission preservation. This diff applies the same permission
preservation logic to the Contents::File branch, completing the fix.

The issue was visible in fbcode-buck images where files like /etc/passwd had
incorrect permissions (----------). These files went through the Contents::File
path since they had content modifications, not just metadata changes.

In next diff we will cover the scenario with tests.

Test Plan:
buck2 test fbcode//mode/dev //antlir/antlir2/antlir2_packager/make_oci_layer:test-file-permissions

the previous fix only fixed:

```
 liuba ⛅️  ~/fbsource/fbcode
 [🥭] → buck run 'mode/opt' //atlas/specs/generated/fbsource-scm-tools:devcompute.image.fbsource-scm-tools-podman-run
```

however it didn't for:

```
 liuba ⛅️  ~/fbsource/fbcode
 [🍋] → buck run 'mode/opt' //atlas/specs/generated/fbcode-buck:devcompute.image.fbcode-buck-podman-run
```

Reviewed By: c-ryan747

Differential Revision: D88848270

fbshipit-source-id: 00eb26ba5f6f256eab4fc75a4b7e8435c1bbb3ac
diff --git a/antlir/antlir2/antlir2_packager/make_oci_layer/src/main.rs b/antlir/antlir2/antlir2_packager/make_oci_layer/src/main.rs
@@ -276,10 +276,18 @@ fn main() -> Result<()> {
                         // to avoid GNU sparse headers (type 'S' = 83) which some container
                         // runtimes (podman/skopeo) cannot handle.
                         // Use the accumulated entry.header which contains metadata from
-                        // change stream operations (Create, Chmod, Chown, etc.)
+                        // change stream operations (Create, Chmod, Chown, etc.), but also
+                        // preserve permissions from filesystem if not already set.
                         // Seek to beginning in case file handle is not at start
                         f.rewind()?;
                         let metadata = f.metadata()?;
+                        // Preserve permissions from filesystem. On Unix, mode() includes
+                        // file type bits, so mask with 0o7777 to get just permission bits.
+                        #[cfg(unix)]
+                        {
+                            use std::os::unix::fs::PermissionsExt;
+                            entry.header.set_mode(metadata.permissions().mode() & 0o7777);
+                        }
                         entry.header.set_size(metadata.len());
                         entry.header.set_entry_type(EntryType::Regular);
                         builder.append_data(&mut entry.header, path, &mut f)?;
