runsc: set gofer umask to 0.

PiperOrigin-RevId: 202185642
Change-Id: I2eefcc0b2ffadc6ef21d177a8a4ab0cda91f3399

1 files changed, 4 insertions, 6 deletions

diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 7097f220b..69b982ff8 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -23,7 +23,6 @@ import (
 	"runtime"
 	"sync"
 	"sync/atomic"
-	"syscall"
 	gtime "time"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@@ -270,7 +269,7 @@ func newProcess(spec *specs.Spec, conf *Config, ioFDs []int, console bool, creds
 		Envv:                 spec.Process.Env,
 		WorkingDirectory:     spec.Process.Cwd,
 		Credentials:          creds,
-		Umask:                0,
+		Umask:                0022,
 		Limits:               ls,
 		MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
 		UTSNamespace:         utsns,
@@ -296,10 +295,9 @@ func newProcess(spec *specs.Spec, conf *Config, ioFDs []int, console bool, creds
 		// Use root user to configure mounts. The current user might not have
 		// permission to do so.
 		rootProcArgs := kernel.CreateProcessArgs{
-			WorkingDirectory: "/",
-			Credentials:      auth.NewRootCredentials(creds.UserNamespace),
-			// The sentry should run with a umask of 0.
-			Umask:                uint(syscall.Umask(0)),
+			WorkingDirectory:     "/",
+			Credentials:          auth.NewRootCredentials(creds.UserNamespace),
+			Umask:                0022,
 			MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
 		}
 		rootCtx := rootProcArgs.NewContext(k)