From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1338605-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id BCA72158086
	for <garchives@archives.gentoo.org>; Thu, 11 Nov 2021 21:27:45 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2785D2BC145;
	Thu, 11 Nov 2021 21:27:40 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 0FEC02BC145
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Nov 2021 21:27:40 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 29CB23430F8
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Nov 2021 21:27:39 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 583161CC
	for <gentoo-commits@lists.gentoo.org>; Thu, 11 Nov 2021 21:27:36 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1636666010.bf6fdfd10493e1d4b51195cc9daa4a7093402c4f.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: Makefile
X-VCS-Directories: /
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: bf6fdfd10493e1d4b51195cc9daa4a7093402c4f
X-VCS-Branch: master
Date: Thu, 11 Nov 2021 21:27:36 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 1a735acd-6348-463f-af6d-f7405dbceb4a
X-Archives-Hash: 439621e8ad0b3978c664d5ee10ce9f3b

commit:     bf6fdfd10493e1d4b51195cc9daa4a7093402c4f
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Nov  5 13:32:30 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf6fdfd1

Ignore umask on when installing headers

Use install(1) with explicit permission to create directories and
files.  In case umask(2) is set too strict the installed files will
otherwise not be readable by unprivileged users.

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 Makefile | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index ba346a27..53af1468 100644
--- a/Makefile
+++ b/Makefile
@@ -534,17 +534,19 @@ $(appdir)/%: $(appconf)/%
 # Install policy headers
 #
 install-headers: $(layerxml) $(tunxml) $(boolxml) $(gentooxml)
-	@mkdir -p $(headerdir)
+	$(verbose) $(INSTALL) -d -m 755 $(headerdir)
 	@echo "Installing $(NAME) policy headers."
 	$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
-	$(verbose) mkdir -p $(headerdir)/support
+	$(verbose) $(INSTALL) -d -m 755 $(headerdir)/support
 	$(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
 	$(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
+	$(verbose) $(INSTALL) -m 644 /dev/null $(headerdir)/support/all_perms.spt
 	$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
 	$(verbose) for i in $(notdir $(all_layers)); do \
-		mkdir -p $(headerdir)/$$i ;\
+		$(INSTALL) -d -m 755 $(headerdir)/$$i ;\
 		$(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
 	done
+	$(verbose) $(INSTALL) -m 644 /dev/null $(headerdir)/build.conf
 	$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
 	$(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
 ifneq "$(DISTRO)" ""