CORE-11535: Fix svlogd rotated log files permissions

[skoryk-oleksandr]

Description

📝 Summary
This PR addresses an issue where svlogd creates rotated log files with 0744 permissions, making them executable. Executable permissions on log files are unnecessary and potentially insecure. This fix modifies svlogd.c to use 0644 instead, ensuring log files are readable but not executable.

🐞 Initial Problem
In the calico/node container, rotated log files under /var/log/calico/*** were being created with permissions -rwxr--r-- (0744). These permissions are overly permissive for logs, which should not be executable.

🔗 Jira
https://tigera.atlassian.net/browse/CI-1790

🛠️ Fix Details
This PR applies a patch (svlogd_use_0644_permission_instead_of_0744.patch) to svlogd.c during the Docker image build process. This change ensures more secure file permissions for rotated log files.

The patch has been integrated for only two out of four platforms:

• amd64 (Fix applied)
• arm64 (Fix applied)
• ppc64le (Fix has not been applied for this platform)
• s390x (Fix has not been applied for this platform )

Here is ticket to track missing fix for ppc64le and s390x platforms: https://tigera.atlassian.net/browse/CORE-11592

🧪 Testing

• Verified the Docker image builds successfully for amd64 and arm64 platforms.
• Tested functionality on the amd64 image in a local Kind cluster:
• Rotated log files are now created with 0644 permissions.
• svlogd continues to handle log rotation and writing as expected.

📦 Components Affected

• calico/node Docker image build process
• Logging subsystem (svlogd behavior)

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[Copilot]

Pull Request Overview

This PR modifies the node/Dockerfile.amd64 build step to patch svlogd.c so that rotated log files use 0644 permissions instead of 0744, removing the execute bit from log files.

• Added inline sed commands to replace 0744 with 0644 at three locations in src/svlogd.c.
• Ensures rotated logs are readable but not executable.

Comments suppressed due to low confidence (1)

node/Dockerfile.amd64:79

• Consider adding a CI step or unit/integration test that verifies the file mode of rotated logs is 0644, so future changes can't inadvertently revert this permission fix.

    sed -i '208s/0744/0644/' src/svlogd.c && sed -i '285s/0744/0644/' src/svlogd.c && sed -i '375s/0744/0644/' src/svlogd.c && \

[stevegaossou]

Just have a single comment about thinking ahead to a scenario where we want to update the version of runit that we use.

In that situation, how will applying direct patch for svlogd affect the update?

[stevegaossou]

Are there any concerns around us applying this patch directly ourselves, in case in the future we update the version of runit that we download and use?

[skoryk-oleksandr]

Good point.

If svlogd.c changes in a newer runit version, the patch might fail to apply — but that will be immediately caught during the build, since the patch step will fail right after we bump the version.

In that case, we’ll just need to update the patch. The change is minimal (just replacing 0744 with 0644), so adjusting it should be quick and straightforward.