Removing writable permissions in squashfs images vs overlayfs

Peter Naulls peter at chocky.org
Mon Oct 24 06:39:44 PDT 2022


On 10/23/22 23:35, Phillip Lougher wrote:
> On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls <peter at chocky.org> wrote:

> What you probably want is the following
> 
> % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)"

It is, fantastic, thank you.

I added to include/image.mk:

--- a/include/image.mk
+++ b/include/image.mk
@@ -76,6 +76,7 @@ SQUASHFS_BLOCKSIZE := $(CONFIG_TARGET_SQUASHFS_BLOCK_SIZE)k
  SQUASHFSOPT := -b $(SQUASHFS_BLOCKSIZE)
  SQUASHFSOPT += -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1'
  SQUASHFSOPT += $(if $(CONFIG_SELINUX),-xattrs,-no-xattrs)
+SQUASHFSOPT += -action 'chmod(ugo-w)@perm(/ugo+w)'
  SQUASHFSCOMP := gzip
  LZMA_XZ_OPTIONS := -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2
  ifeq ($(CONFIG_SQUASHFS_XZ),y)


It sure seems like this could easily be an config option in OpenWrt, either
allowing specific commands here, or some easy presets, or perhaps
platform overrides.

Again, I know this is theater and overlayfs rules here, but it's still important
for my use.






More information about the openwrt-devel mailing list