fix kata artifact file permission and ownership

Author: kumara1-intel

REUSE.toml

@@ -36,7 +36,7 @@ path = [
     "**.zip",
     ".gitattributes",
     "**.tar.gz",
-    "kata_keeplist.txt"
+    "**/kata_keeplist.txt"
 ]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2025 Intel Corporation"

trusted-workload/kata-deploy/Makefile

@@ -15,7 +15,7 @@ all: build lint test
 build:
 	@# Help: Runs build stage in all subprojects
 	@echo "---MAKEFILE BUILD---"
-	bash build-kata-deploy-image.sh
+	sudo -E bash build-kata-deploy-image.sh
 	@echo "---END MAKEFILE Build---"
 
 clean:

trusted-workload/kata-deploy/build-kata-deploy-image.sh

@@ -33,7 +33,7 @@ KATA_ARTIFACT_NEW_NAME="kata-static.tar.xz"
 KATA_PATCH_DIR="patch/${KATA_CONTAINERS_TAG}"
 KATA_BOOT_COMPONENT_DIR="${KATA_ARTIFACT_DIR}/opt/kata/share/kata-containers"
 KATA_ARTIFACT_KERNEL_NAME="vmlinux.container"
-KATA_ARTIFACT_TOOTFS_NAME="kata-containers.img"
+KATA_ARTIFACT_ROOTFS_NAME="kata-containers.img"
 
 check_file_exists() {
     local file="${1}"
@@ -75,6 +75,9 @@ tar -xf "${KATA_ARTIFACT_FILE_NAME}" -C "${KATA_ARTIFACT_DIR}"
 #check if the boot component directory exists
 check_dir_exists "${KATA_BOOT_COMPONENT_DIR}"
 
+#create bm-agents group if it does not exist
+getent group bm-agents > /dev/null || groupadd -g 500 bm-agents
+
 #copy edge microvisor kernel to the kata artifacts
 echo "INFO: Copying edge microvisor kernel to the Kata artifacts"
 cp "${EDGE_MICROVISOR_SRC}/${EDGE_MICROVISOR_KERNEL}" "${KATA_BOOT_COMPONENT_DIR}"
@@ -90,19 +93,27 @@ cp "${EDGE_MICROVISOR_SRC}/${EDGE_MICROVISOR_ROOTFS}" "${KATA_BOOT_COMPONENT_DIR
 #change symlink to point to the new kernel and rootfs
 echo "INFO: Change symlink to point to the new kernel and rootfs"
 ln -sf "${EDGE_MICROVISOR_KERNEL}" "${KATA_BOOT_COMPONENT_DIR}/${KATA_ARTIFACT_KERNEL_NAME}"
-ln -sf "${EDGE_MICROVISOR_ROOTFS}" "${KATA_BOOT_COMPONENT_DIR}/${KATA_ARTIFACT_TOOTFS_NAME}"
+ln -sf "${EDGE_MICROVISOR_ROOTFS}" "${KATA_BOOT_COMPONENT_DIR}/${KATA_ARTIFACT_ROOTFS_NAME}"
 
 # Iterate over all files, directories, clean up unwanted files and directories and set permission and onwership
+chmod 750 "${KATA_ARTIFACT_DIR}/opt/kata"
+chown root:bm-agents "${KATA_ARTIFACT_DIR}/opt/kata"
+
 pushd "${KATA_ARTIFACT_DIR}/opt/kata"
 for file in $(find . -type f -o -type d -o -type l | sed 's|^\./||'); do
 	match=$(awk -v search="$file" '$0 ~ search { print $0; found=1; exit } END { if (!found) print ""; exit }' ../../../kata_keeplist.txt)
     if [[ -n "$match" ]]; then
-		echo "INFO: Processing $file"
-        chown $(echo "$match" | awk '{print $2}') "$file"
+		chown $(echo "$match" | awk '{print $2}') "$file"
 		chmod $(echo "$match" | awk '{print $3}') "$file"
 	else
-		[[ "$file" == *"$EDGE_MICROVISOR_KERNEL"* ]] && chown root:root "$file" && chmod 600 "$file" || rm -rf "$file"
-    fi
+		if [[ "$file" == *"$EDGE_MICROVISOR_KERNEL"* ]]; then
+			chown root:bm-agents "$file" && chmod 640 "$file"
+		elif [[ "$file" == *"$EDGE_MICROVISOR_KERNEL_CONFIG"* ]]; then
+			chown root:root "$file" && chmod 600 "$file"
+		else
+			rm -rf "$file"
+		fi
+	fi
 done
 popd
 

trusted-workload/kata-deploy/kata_keeplist.txt

@@ -1,5 +1,5 @@
-bin root:root 700
-bin/containerd-shim-kata-v2 root:root 700
+bin root:bm-agents 750
+bin/containerd-shim-kata-v2 root:bm-agents 740
 bin/kata-agent-ctl root:root 700
 bin/kata-collect-data.sh root:root 700
 bin/kata-ctl root:root 700
@@ -9,7 +9,7 @@ bin/kata-monitor root:root 700
 bin/kata-runtime root:root 700
 bin/kata-trace-forwarder root:root 700
 bin/stratovirt root:root 700
-bin/qemu-system-x86_64 root:root 700
+bin/qemu-system-x86_64 root:bm-agents 740
 include root:root 600
 include/libfdt_env.h root:root 600
 include/libfdt.h root:root 600
@@ -19,31 +19,31 @@ lib/kata-qemu root:root 600
 lib/kata-qemu/libfdt.a root:root 600
 lib/kata-qemu/pkgconfig root:root 600
 lib/kata-qemu/pkgconfig/libfdt.pc root:root 600
-libexec root:root 700
-libexec/virtiofsd root:root 700
-share root:root 700
+libexec root:bm-agents 750
+libexec/virtiofsd root:bm-agents 740
+share root:bm-agents 750
 share/bash-completion root:root 700
 share/bash-completion/completions root:root 700
 share/bash-completion/completions/kata-runtime root:root 700
-share/defaults root:root 600
-share/defaults/kata-containers root:root 600
+share/defaults root:bm-agents 750
+share/defaults/kata-containers root:bm-agents 750
 share/defaults/kata-containers/rules.rego root:root 600
 share/defaults/kata-containers/genpolicy-settings.json root:root 600
-share/defaults/kata-containers/configuration-qemu.toml root:root 600
+share/defaults/kata-containers/configuration-qemu.toml root:bm-agents 640
 share/defaults/kata-containers/agent-ctl root:root 600
 share/defaults/kata-containers/agent-ctl/oci_config.json root:root 600
-share/defaults/kata-containers/configuration.toml root:root 600
-share/kata-containers root:root 600
-share/kata-containers/trusted-vm.img root:root 600
+share/defaults/kata-containers/configuration.toml root:bm-agents 640
+share/kata-containers root:bm-agents 750
+share/kata-containers/trusted-vm.img root:bm-agents 640
 share/kata-containers/root_hash.txt root:root 600
-share/kata-containers/vmlinux.container root:root 600
-share/kata-containers/kata-containers.img root:root 600
-share/kata-qemu root:root 600
-share/kata-qemu/qemu root:root 600
-share/kata-qemu/qemu/pvh.bin root:root 600
-share/kata-qemu/qemu/kvmvapic.bin root:root 600
-share/kata-qemu/qemu/linuxboot_dma.bin root:root 600
-share/kata-qemu/qemu/bios-256k.bin root:root 600
-share/kata-qemu/qemu/efi-virtio.rom root:root 600
+share/kata-containers/vmlinux.container root:bm-agents 640
+share/kata-containers/kata-containers.img root:bm-agents 640
+share/kata-qemu root:bm-agents 750
+share/kata-qemu/qemu root:bm-agents 750
+share/kata-qemu/qemu/pvh.bin root:bm-agents 640
+share/kata-qemu/qemu/kvmvapic.bin root:bm-agents 640
+share/kata-qemu/qemu/linuxboot_dma.bin root:bm-agents 640
+share/kata-qemu/qemu/bios-256k.bin root:bm-agents 640
+share/kata-qemu/qemu/efi-virtio.rom root:bm-agents 640
 VERSION root:root 600
-versions.yaml root:root 600
+versions.yaml root:root 600