From 7c621e1fcc08bcf5a1a48b837342cc22eada1685 Mon Sep 17 00:00:00 2001
From: Derek McGowan <derek@mcg.dev>
Date: Wed, 15 Sep 2021 17:57:13 -0700
Subject: [PATCH] btrfs: reduce permissions on plugin directories

Disallow traversal into directories that may contain
unpacked or mounted image filesystems.

Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Samuel Karp <skarp@amazon.com>
---
 snapshots/btrfs/btrfs.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/snapshots/btrfs/btrfs.go b/snapshots/btrfs/btrfs.go
index 534b1c1e8..c289b32d4 100644
--- a/snapshots/btrfs/btrfs.go
+++ b/snapshots/btrfs/btrfs.go
@@ -51,11 +51,15 @@ type snapshotter struct {
 // root needs to be a mount point of btrfs.
 func NewSnapshotter(root string) (snapshots.Snapshotter, error) {
 	// If directory does not exist, create it
-	if _, err := os.Stat(root); err != nil {
+	if st, err := os.Stat(root); err != nil {
 		if !os.IsNotExist(err) {
 			return nil, err
 		}
-		if err := os.Mkdir(root, 0755); err != nil {
+		if err := os.Mkdir(root, 0700); err != nil {
+			return nil, err
+		}
+	} else if st.Mode()&os.ModePerm != 0700 {
+		if err := os.Chmod(root, 0700); err != nil {
 			return nil, err
 		}
 	}