jail: read and apply umask from OCI if defined

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
author: Daniel Golle 2020-07-19 00:32:55 +0000
committer: Daniel Golle 2020-07-19 18:26:09 +0000
commit: 0e1920cb006d1478c6546e99210a750645eeffc4 (patch)
tree: c240dbcb34f78398b50664d2f8024384a7c8e3ef
parent: c049047be476da6a9e044b6e16a66678c2460156 (diff)
download: procd-0e1920cb006d1478c6546e99210a750645eeffc4.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/jail/jail.c b/jail/jail.c
index 287307f..522d139 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -94,6 +94,8 @@ static struct {
 	int gr_gid;
 	gid_t *additional_gids;
 	size_t num_additional_gids;
+	mode_t umask;
+	bool set_umask;
 	int require_jail;
 	struct {
 		struct hook_execvpe **createRuntime;
@@ -875,6 +877,9 @@ static int exec_jail(void *pipes_ptr)
 		exit(EXIT_FAILURE);
 	}
 
+	if (opts.set_umask)
+		umask(opts.umask);
+
 	if (applyOCIcapabilities(opts.capset))
 		exit(EXIT_FAILURE);
 
@@ -1267,7 +1272,10 @@ static int parseOCIprocessuser(struct blob_attr *msg) {
 		DEBUG("read %lu additional groups\n", gidcnt);
 	}
 
-	/* ToDo: umask */
+	if (tb[OCI_PROCESS_USER_UMASK]) {
+		opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]);
+		opts.set_umask = true;
+	}
 
 	return 0;
 }
author	Daniel Golle	2020-07-19 00:32:55 +0000
committer	Daniel Golle	2020-07-19 18:26:09 +0000
commit	0e1920cb006d1478c6546e99210a750645eeffc4 (patch)
tree	c240dbcb34f78398b50664d2f8024384a7c8e3ef
parent	c049047be476da6a9e044b6e16a66678c2460156 (diff)
download	procd-0e1920cb006d1478c6546e99210a750645eeffc4.tar.gz