Allow spec file permisions to be specified

Signed-off-by: Evan Lezar <elezar@nvidia.com>

pkg/nvcdi/spec/builder.go

@@ -18,6 +18,7 @@ package spec
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
 	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
@@ -33,6 +34,7 @@ type builder struct {
 	edits       specs.ContainerEdits
 	format      string
 	noSimplify  bool
+	permissions os.FileMode
 }
 
 // newBuilder creates a new spec builder with the supplied options
@@ -60,7 +62,9 @@ func newBuilder(opts ...Option) *builder {
 	if s.format == "" {
 		s.format = FormatYAML
 	}
-
+	if s.permissions == 0 {
+		s.permissions = 0600
+	}
 	return s
 }
 
@@ -157,3 +161,10 @@ func WithRawSpec(raw *specs.Spec) Option {
 		o.raw = raw
 	}
 }
+
+// WithPermissions sets the permissions for the generated spec file
+func WithPermissions(permissions os.FileMode) Option {
+	return func(o *builder) {
+		o.permissions = permissions
+	}
+}

pkg/nvcdi/spec/spec.go

@@ -28,7 +28,8 @@ import (
 
 type spec struct {
 	*specs.Spec
-	format string
+	format      string
+	permissions os.FileMode
 }
 
 var _ Interface = (*spec)(nil)
@@ -51,7 +52,15 @@ func (s *spec) Save(path string) error {
 		cdi.WithSpecDirs(specDir),
 	)
 
-	return registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path))
+	if err := registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)); err != nil {
+		return fmt.Errorf("failed to write spec: %w", err)
+	}
+
+	if err := os.Chmod(path, s.permissions); err != nil {
+		return fmt.Errorf("failed to set permissions on spec file: %w", err)
+	}
+
+	return nil
 }
 
 // WriteTo writes the spec to the specified writer.