diff options
author | Lantao Liu <lantaol@google.com> | 2018-06-26 13:39:07 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-06-26 13:40:04 -0700 |
commit | 000fd8d1e4530b4063eead26dda4843ff0d71cbd (patch) | |
tree | 1c41986261d239b3cf247cb50fe8c044a1cb5553 | |
parent | ea10949a0036cdef95a1397ccad8fcc138ce3c0d (diff) |
runsc: set gofer umask to 0.
PiperOrigin-RevId: 202185642
Change-Id: I2eefcc0b2ffadc6ef21d177a8a4ab0cda91f3399
-rw-r--r-- | runsc/boot/loader.go | 10 | ||||
-rw-r--r-- | runsc/cmd/boot.go | 7 | ||||
-rw-r--r-- | runsc/cmd/gofer.go | 5 |
3 files changed, 16 insertions, 6 deletions
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index 7097f220b..69b982ff8 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -23,7 +23,6 @@ import ( "runtime" "sync" "sync/atomic" - "syscall" gtime "time" specs "github.com/opencontainers/runtime-spec/specs-go" @@ -270,7 +269,7 @@ func newProcess(spec *specs.Spec, conf *Config, ioFDs []int, console bool, creds Envv: spec.Process.Env, WorkingDirectory: spec.Process.Cwd, Credentials: creds, - Umask: 0, + Umask: 0022, Limits: ls, MaxSymlinkTraversals: linux.MaxSymlinkTraversals, UTSNamespace: utsns, @@ -296,10 +295,9 @@ func newProcess(spec *specs.Spec, conf *Config, ioFDs []int, console bool, creds // Use root user to configure mounts. The current user might not have // permission to do so. rootProcArgs := kernel.CreateProcessArgs{ - WorkingDirectory: "/", - Credentials: auth.NewRootCredentials(creds.UserNamespace), - // The sentry should run with a umask of 0. - Umask: uint(syscall.Umask(0)), + WorkingDirectory: "/", + Credentials: auth.NewRootCredentials(creds.UserNamespace), + Umask: 0022, MaxSymlinkTraversals: linux.MaxSymlinkTraversals, } rootCtx := rootProcArgs.NewContext(k) diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go index 86f597c09..0d0e6b63f 100644 --- a/runsc/cmd/boot.go +++ b/runsc/cmd/boot.go @@ -107,6 +107,13 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) conf := args[0].(*boot.Config) waitStatus := args[1].(*syscall.WaitStatus) + // sentry should run with a umask of 0 when --file-access=direct, because we want + // to preserve file modes exactly as set by the sentry, which will have applied + // its own umask. + if conf.FileAccess == boot.FileAccessDirect { + syscall.Umask(0) + } + if b.applyCaps { caps := spec.Process.Capabilities if conf.Platform == boot.PlatformPtrace { diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go index c0b747737..8e1060a35 100644 --- a/runsc/cmd/gofer.go +++ b/runsc/cmd/gofer.go @@ -17,6 +17,7 @@ package cmd import ( "os" "sync" + "syscall" "context" "flag" @@ -66,6 +67,10 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) return subcommands.ExitUsageError } + // fsgofer should run with a umask of 0, because we want to preserve file + // modes exactly as sent by the sandbox, which will have applied its own umask. + syscall.Umask(0) + spec, err := specutils.ReadSpec(g.bundleDir) if err != nil { Fatalf("error reading spec: %v", err) |