review: move file perm to wrapper

Author: archandatta

images/chromium-headful/Dockerfile

@@ -308,7 +308,4 @@ COPY server/runtime/playwright-executor.ts /usr/local/lib/playwright-executor.ts
 
 RUN useradd -m -s /bin/bash kernel
 
-# Make policy directory writable for runtime updates
-RUN chown -R kernel:kernel /etc/chromium/policies
-
 ENTRYPOINT [ "/wrapper.sh" ]

images/chromium-headful/wrapper.sh

@@ -62,6 +62,8 @@ if [[ "${RUN_AS_ROOT:-}" != "true" ]]; then
 
   # Ensure correct ownership (ignore errors if already correct)
   chown -R kernel:kernel /home/kernel /home/kernel/user-data /home/kernel/.config /home/kernel/.pki /home/kernel/.cache 2>/dev/null || true
+  # Make policy directory writable for runtime updates
+  chown -R kernel:kernel /etc/chromium/policies 2>/dev/null || true
 else
   # When running as root, just create the necessary directories without ownership changes
   dirs=(

images/chromium-headless/image/Dockerfile

@@ -187,9 +187,6 @@ ENV WITHDOCKER=true
 # Create a non-root user with a home directory
 RUN useradd -m -s /bin/bash kernel
 
-# Make policy directory writable for runtime updates
-RUN chown -R kernel:kernel /etc/chromium/policies
-
 # supervisor  start scripts
 COPY images/chromium-headless/image/start-xvfb.sh /images/chromium-headless/image/start-xvfb.sh
 RUN chmod +x /images/chromium-headless/image/start-xvfb.sh

images/chromium-headless/image/wrapper.sh

@@ -102,6 +102,8 @@ if [[ "${RUN_AS_ROOT:-}" != "true" ]]; then
 
   # Ensure correct ownership (ignore errors if already correct)
   chown -R kernel:kernel /home/kernel /home/kernel/user-data /home/kernel/.config /home/kernel/.pki /home/kernel/.cache 2>/dev/null || true
+  # Make policy directory writable for runtime updates
+  chown -R kernel:kernel /etc/chromium/policies 2>/dev/null || true
 else
   # When running as root, just create the necessary directories without ownership changes
   dirs=(