From 371a118ad02221297209b40786a59f5ebc5663ec Mon Sep 17 00:00:00 2001
From: Alakesh Haloi <a_haloi@apple.com>
Date: Thu, 13 Jul 2023 07:07:00 -0700
Subject: [PATCH] agent: exclude symlinks from recursive ownership change

currently when fsGroup is used with direct-assign, kata agent
recursively changes ownership and permission for each file including
symlinks. However the problem with symlinks is, the permission of
the symlink itself may not be same as the underlying file. So while
doing recursive ownership and permission changes we should skip
symlinks.

Fixes: #7364
Signed-off-by: Alakesh Haloi <a_haloi@apple.com>
---
 src/agent/src/mount.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/agent/src/mount.rs b/src/agent/src/mount.rs
index 5b0d95c19..9c4310e6e 100644
--- a/src/agent/src/mount.rs
+++ b/src/agent/src/mount.rs
@@ -725,6 +725,14 @@ pub fn recursive_ownership_change(
         mask |= EXEC_MASK;
         mask |= MODE_SETGID;
     }
+
+    // We do not want to change the permission of the underlying file
+    // using symlink. Hence we skip symlinks from recursive ownership
+    // and permission changes.
+    if path.is_symlink() {
+        return Ok(());
+    }
+
     nix::unistd::chown(path, uid, gid)?;
 
     if gid.is_some() {