From 000fd8d1e4530b4063eead26dda4843ff0d71cbd Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Tue, 26 Jun 2018 13:39:07 -0700
Subject: runsc: set gofer umask to 0.

PiperOrigin-RevId: 202185642
Change-Id: I2eefcc0b2ffadc6ef21d177a8a4ab0cda91f3399
---
 runsc/cmd/boot.go | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'runsc/cmd/boot.go')

diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go
index 86f597c09..0d0e6b63f 100644
--- a/runsc/cmd/boot.go
+++ b/runsc/cmd/boot.go
@@ -107,6 +107,13 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
 	conf := args[0].(*boot.Config)
 	waitStatus := args[1].(*syscall.WaitStatus)
 
+	// sentry should run with a umask of 0 when --file-access=direct, because we want
+	// to preserve file modes exactly as set by the sentry, which will have applied
+	// its own umask.
+	if conf.FileAccess == boot.FileAccessDirect {
+		syscall.Umask(0)
+	}
+
 	if b.applyCaps {
 		caps := spec.Process.Capabilities
 		if conf.Platform == boot.PlatformPtrace {
-- 
cgit v1.2.3