rofl/build: Remove FixPermissions and fix concat

Author: ptrus

build/env/env.go

@@ -7,8 +7,6 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
-
-	"github.com/oasisprotocol/cli/cmd/common"
 )
 
 // ExecEnv is an execution environment.
@@ -24,10 +22,6 @@ type ExecEnv interface {
 	// environment.
 	PathToEnv(path string) (string, error)
 
-	// FixPermissions ensures that the user executing this process owns the file at the given path
-	// outside the environment.
-	FixPermissions(path string) error
-
 	// HasBinary returns true iff the given binary name is available in this environment.
 	HasBinary(name string) bool
 
@@ -58,11 +52,6 @@ func (ne *NativeEnv) PathToEnv(path string) (string, error) {
 	return path, nil
 }
 
-// FixPermissions implements ExecEnv.
-func (ne *NativeEnv) FixPermissions(string) error {
-	return nil
-}
-
 // HasBinary implements ExecEnv.
 func (ne *NativeEnv) HasBinary(name string) bool {
 	path, err := exec.LookPath(name)
@@ -194,23 +183,6 @@ func (de *ContainerEnv) PathToEnv(path string) (string, error) {
 	return "", fmt.Errorf("bad path '%s'", path)
 }
 
-// FixPermissions implements ExecEnv.
-func (de *ContainerEnv) FixPermissions(path string) error {
-	path, err := de.PathToEnv(path)
-	if err != nil {
-		return err
-	}
-
-	cmd := exec.Command("chown", fmt.Sprintf("%d:%d", os.Getuid(), os.Getgid()), path) //nolint: gosec
-	if err = de.WrapCommand(cmd); err != nil {
-		return err
-	}
-	if common.IsVerbose() {
-		fmt.Println(cmd)
-	}
-	return cmd.Run()
-}
-
 // HasBinary implements ExecEnv.
 func (de *ContainerEnv) HasBinary(string) bool {
 	return true

cmd/rofl/build/artifacts.go

@@ -459,39 +459,38 @@ func createVerityHashTree(buildEnv env.ExecEnv, fsFn, hashFn string) (string, er
 		return "", fmt.Errorf("%w\n%s", err, out.String())
 	}
 
-	if err = buildEnv.FixPermissions(fsFn); err != nil {
-		return "", err
-	}
-	if err = buildEnv.FixPermissions(hashFn); err != nil {
-		return "", err
-	}
-	if err = buildEnv.FixPermissions(rootHashFn); err != nil {
-		return "", err
-	}
-
 	data, err := os.ReadFile(rootHashFn)
 	if err != nil {
 		return "", fmt.Errorf("failed to read dm-verity root hash: %w", err)
 	}
 	return string(data), nil
 }
 
-// concatFiles appends the contents of file b to a.
-func concatFiles(a, b string) error {
-	df, err := os.OpenFile(a, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
+// concatFiles appends the contents of file b to a using the given build environment.
+// This ensures the operation works correctly with containerized builds where the host
+// may not have write permissions to container-created files.
+func concatFiles(buildEnv env.ExecEnv, a, b string) error {
+	aEnv, err := buildEnv.PathToEnv(a)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to translate path: %w", err)
 	}
-	defer df.Close()
-
-	sf, err := os.Open(b)
+	bEnv, err := buildEnv.PathToEnv(b)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to translate path: %w", err)
 	}
-	defer sf.Close()
 
-	_, err = io.Copy(df, sf)
-	return err
+	// Use shell to append file b to file a.
+	cmd := exec.Command("sh", "-c", fmt.Sprintf("cat %q >> %q", bEnv, aEnv)) //nolint:gosec
+	var out strings.Builder
+	cmd.Stderr = &out
+	cmd.Stdout = &out
+	if err = buildEnv.WrapCommand(cmd); err != nil {
+		return err
+	}
+	if err = cmd.Run(); err != nil {
+		return fmt.Errorf("%w\n%s", err, out.String())
+	}
+	return nil
 }
 
 // padWithEmptySpace pads the given file with empty space to make it the given size. See

cmd/rofl/build/tdx.go

@@ -166,7 +166,7 @@ func tdxPrepareStage2(
 	}
 
 	// Concatenate filesystem and hash tree into one image.
-	if err = concatFiles(rootfsImage, hashFile); err != nil {
+	if err = concatFiles(buildEnv, rootfsImage, hashFile); err != nil {
 		return nil, fmt.Errorf("failed to concatenate rootfs and hash tree files: %w", err)
 	}