From 000fd8d1e4530b4063eead26dda4843ff0d71cbd Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Tue, 26 Jun 2018 13:39:07 -0700
Subject: runsc: set gofer umask to 0.

PiperOrigin-RevId: 202185642
Change-Id: I2eefcc0b2ffadc6ef21d177a8a4ab0cda91f3399
---
 runsc/boot/loader.go | 10 ++++------
 runsc/cmd/boot.go    |  7 +++++++
 runsc/cmd/gofer.go   |  5 +++++
 3 files changed, 16 insertions(+), 6 deletions(-)

(limited to 'runsc')

diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 7097f220b..69b982ff8 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -23,7 +23,6 @@ import (
 	"runtime"
 	"sync"
 	"sync/atomic"
-	"syscall"
 	gtime "time"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@@ -270,7 +269,7 @@ func newProcess(spec *specs.Spec, conf *Config, ioFDs []int, console bool, creds
 		Envv:                 spec.Process.Env,
 		WorkingDirectory:     spec.Process.Cwd,
 		Credentials:          creds,
-		Umask:                0,
+		Umask:                0022,
 		Limits:               ls,
 		MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
 		UTSNamespace:         utsns,
@@ -296,10 +295,9 @@ func newProcess(spec *specs.Spec, conf *Config, ioFDs []int, console bool, creds
 		// Use root user to configure mounts. The current user might not have
 		// permission to do so.
 		rootProcArgs := kernel.CreateProcessArgs{
-			WorkingDirectory: "/",
-			Credentials:      auth.NewRootCredentials(creds.UserNamespace),
-			// The sentry should run with a umask of 0.
-			Umask:                uint(syscall.Umask(0)),
+			WorkingDirectory:     "/",
+			Credentials:          auth.NewRootCredentials(creds.UserNamespace),
+			Umask:                0022,
 			MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
 		}
 		rootCtx := rootProcArgs.NewContext(k)
diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go
index 86f597c09..0d0e6b63f 100644
--- a/runsc/cmd/boot.go
+++ b/runsc/cmd/boot.go
@@ -107,6 +107,13 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
 	conf := args[0].(*boot.Config)
 	waitStatus := args[1].(*syscall.WaitStatus)
 
+	// sentry should run with a umask of 0 when --file-access=direct, because we want
+	// to preserve file modes exactly as set by the sentry, which will have applied
+	// its own umask.
+	if conf.FileAccess == boot.FileAccessDirect {
+		syscall.Umask(0)
+	}
+
 	if b.applyCaps {
 		caps := spec.Process.Capabilities
 		if conf.Platform == boot.PlatformPtrace {
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go
index c0b747737..8e1060a35 100644
--- a/runsc/cmd/gofer.go
+++ b/runsc/cmd/gofer.go
@@ -17,6 +17,7 @@ package cmd
 import (
 	"os"
 	"sync"
+	"syscall"
 
 	"context"
 	"flag"
@@ -66,6 +67,10 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
 		return subcommands.ExitUsageError
 	}
 
+	// fsgofer should run with a umask of 0, because we want to preserve file
+	// modes exactly as sent by the sandbox, which will have applied its own umask.
+	syscall.Umask(0)
+
 	spec, err := specutils.ReadSpec(g.bundleDir)
 	if err != nil {
 		Fatalf("error reading spec: %v", err)
-- 
cgit v1.2.3