init_buildsystem: Fix excluding /dev, /sys, etc. from preinstallimages (#1108)

- dev/* was unintentionally glob-expanded to dev/pts, use an array to
  avoid this
- Use bsdtar and GNU tar specific ways to anchor the patterns so that
  /sys/* is excluded but e.g. /usr/include/sys/cdefs.h is not

Author: Vogtinator

init_buildsystem

@@ -285,20 +285,21 @@ preinstall_image() {
     echo "unpacking preinstall image${2:+ $2}"
     preinstall_setup
 
-    TAR_EXCLUDES="--exclude .build --exclude .init_b_cache"
+    TAR_EXCLUDES=(.build .init_b_cache)
 
     if [ -f "/run/.containerenv" ]; then
         # we're running in a podman container and we probably don't have sufficient capabilities to create special files
-        TAR_EXCLUDES="$TAR_EXCLUDES --exclude dev/* --exclude proc/* --exclude run/* --exclude sys/*"
+        TAR_EXCLUDES+=("dev/*" "proc/*" "run/*" "sys/*")
     fi
 
     if test -x /usr/bin/bsdtar ; then
-	TAR="/usr/bin/bsdtar $TAR_EXCLUDES -P --chroot --numeric-owner -x"
+	# Undocumented bsdtar feature: ^ at the beginning anchors
+	TAR=(/usr/bin/bsdtar "${TAR_EXCLUDES[@]/#/"--exclude=^"}" -P --chroot --numeric-owner -x)
     else
 	unsafe_preinstall_check
-	TAR="tar $TAR_EXCLUDES -x"
+	TAR=(tar --anchored "${TAR_EXCLUDES[@]/#/"--exclude="}" -x)
     fi
-    if ! $TAR -f "$BUILD_INIT_CACHE/rpms/$1" ; then
+    if ! "${TAR[@]}" -f "$BUILD_INIT_CACHE/rpms/$1" ; then
 	echo "ERROR: unpack failed."
         if test "x$(od -t x4 -A n -N 4 "$BUILD_INIT_CACHE/rpms/$1")" = "x fd2fb528" ; then
             echo "ERROR: This is a .zst compressed preinstallimage and $TAR failed to unpack."