From ff5851dcad80879c0610e784d3ec36fc3fd2faf3 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Sun, 29 Oct 2023 22:08:48 +0100
Subject: [PATCH] archive: fix mode for root dir with ForceMask

if force_mask is in use, we need to store the root directory
permission after we read it from the tar archive.  We were incorrectly
reading it from the directory on the filesystem.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/archive/archive.go | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go
index 29f800b2af..05d2571182 100644
--- a/pkg/archive/archive.go
+++ b/pkg/archive/archive.go
@@ -955,14 +955,8 @@ func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) err
 	if options.ForceMask != nil {
 		// if ForceMask is in place, make sure lchown is disabled.
 		doChown = false
-		uid, gid, mode, err := GetFileOwner(dest)
-		if err == nil {
-			value := fmt.Sprintf("%d:%d:0%o", uid, gid, mode)
-			if err := system.Lsetxattr(dest, idtools.ContainersOverrideXattr, []byte(value), 0); err != nil {
-				return err
-			}
-		}
 	}
+	var rootHdr *tar.Header
 
 	// Iterate through the files in the archive.
 loop:
@@ -1007,6 +1001,9 @@ loop:
 		if err != nil {
 			return err
 		}
+		if rel == "." {
+			rootHdr = hdr
+		}
 		if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
 			return breakoutError(fmt.Errorf("%q is outside of %q", hdr.Name, dest))
 		}
@@ -1080,6 +1077,14 @@ loop:
 			return err
 		}
 	}
+
+	if options.ForceMask != nil && rootHdr != nil {
+		value := fmt.Sprintf("%d:%d:0%o", rootHdr.Uid, rootHdr.Gid, rootHdr.Mode)
+		if err := system.Lsetxattr(dest, idtools.ContainersOverrideXattr, []byte(value), 0); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }