Add support for umask

Signed-off-by: Ashley Cui <[email protected]>

Author: giuseppe

libcontainer/configs/config.go

@@ -92,6 +92,9 @@ type Config struct {
 	// Path to a directory containing the container's root filesystem.
 	Rootfs string `json:"rootfs"`
 
+	// Umask is the umask to use inside of the container.
+	Umask *uint32 `json:"umask"`
+
 	// Readonlyfs will remount the container's rootfs as readonly where only externally mounted
 	// bind mounts are writtable.
 	Readonlyfs bool `json:"readonlyfs"`

libcontainer/rootfs_linux.go

@@ -157,7 +157,11 @@ func finalizeRootfs(config *configs.Config) (err error) {
 		}
 	}
 
-	unix.Umask(0022)
+	if config.Umask != nil {
+		unix.Umask(int(*config.Umask))
+	} else {
+		unix.Umask(0022)
+	}
 	return nil
 }
 

libcontainer/specconv/spec_linux.go

@@ -308,6 +308,7 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 	if spec.Process != nil {
 		config.OomScoreAdj = spec.Process.OOMScoreAdj
 		config.NoNewPrivileges = spec.Process.NoNewPrivileges
+		config.Umask = spec.Process.User.Umask
 		if spec.Process.SelinuxLabel != "" {
 			config.ProcessLabel = spec.Process.SelinuxLabel
 		}

tests/integration/umask.bats

@@ -0,0 +1,25 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	teardown_busybox
+	setup_busybox
+}
+
+function teardown() {
+	teardown_busybox
+}
+
+@test "umask" {
+	update_config '.process.user += {"umask":63}' 
+
+	# run busybox detached
+	runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
+	[ "$status" -eq 0 ]
+
+	runc exec test_busybox grep '^Umask:' "/proc/1/status"
+	[ "$status" -eq 0 ]
+	# umask 63 decimal = umask 77 octal
+	[[ "${output}" == *"77"* ]]
+}