lxc/0004-confile-add-support-umask.patch

From e1bf4afdac0f4e1c19ad24c7c9fb915ce72906ed Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68@huawei.com>
Date: Sat, 11 Apr 2020 17:24:47 +0800
Subject: [PATCH 04/49] confile: add support umask

lxc.isulad.umask=normal make the container umask to 0022
lxc.isulad.umask=secure make the container umask to 0027 (default)

Signed-off-by: LiFeng <lifeng68@huawei.com>
---
 src/lxc/attach.c  |  5 +++++
 src/lxc/conf.c    |  6 ++++++
 src/lxc/conf.h    |  1 +
 src/lxc/confile.c | 38 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 50 insertions(+)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 406b8ec..56d62ed 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -659,6 +659,11 @@ static int attach_child_main(struct attach_clone_payload *payload)
 			 (options->attach_flags & LXC_ATTACH_LSM) &&
 			 init_ctx->lsm_label;
 
+#ifdef HAVE_ISULAD
+		/*isulad: set system umask */
+	umask(init_ctx->container->lxc_conf->umask);
+#endif
+
 	/* A description of the purpose of this functionality is provided in the
 	 * lxc-attach(1) manual page. We have to remount here and not in the
 	 * parent process, otherwise /proc may not properly reflect the new pid
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index e9c0a37..e3fce51 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2567,6 +2567,7 @@ struct lxc_conf *lxc_conf_init(void)
 #ifdef HAVE_ISULAD
 	/* isulad add begin */
 	lxc_list_init(&new->populate_devs);
+	new->umask = 0027; /*default umask 0027*/
 #endif
 
 	return new;
@@ -3522,6 +3523,11 @@ int lxc_setup(struct lxc_handler *handler)
 	if (ret < 0)
 		return -1;
 
+#ifdef HAVE_ISULAD
+	/*isulad: set system umask */
+	umask(lxc_conf->umask);
+#endif
+
 	ret = setup_personality(lxc_conf->personality);
 	if (ret < 0)
 		return log_error(-1, "Failed to set personality");
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 452458c..7ed3cd0 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -427,6 +427,7 @@ struct lxc_conf {
 
 	/* populate devices*/
 	struct lxc_list populate_devs;
+	mode_t umask;  //umask value
 #endif
 
 };
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index f0772f9..2df269a 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -150,6 +150,7 @@ lxc_config_define(proc);
 #ifdef HAVE_ISULAD
 lxc_config_define(init_args);
 lxc_config_define(populate_device);
+lxc_config_define(umask);
 #endif
 
 /*
@@ -266,6 +267,7 @@ static struct lxc_config_t config_jump_table[] = {
 #ifdef HAVE_ISULAD
 	{ "lxc.isulad.init.args",          set_config_init_args,                   get_config_init_args,                   clr_config_init_args,                 },
 	{ "lxc.isulad.populate.device",    set_config_populate_device,             get_config_populate_device,             clr_config_populate_device,           },
+	{ "lxc.isulad.umask",              set_config_umask,                       get_config_umask,                       clr_config_umask,                     },
 #endif
 };
 
@@ -6273,4 +6275,40 @@ static inline int clr_config_populate_device(const char *key, struct lxc_conf *c
 	return lxc_clear_populate_devices(c);
 }
 
+/* isulad: set config for umask */
+static int set_config_umask(const char *key, const char *value,
+			      struct lxc_conf *lxc_conf, void *data)
+{
+	if (lxc_config_value_empty(value)) {
+		ERROR("Empty umask");
+		return -1;
+	}
+
+	if (strcmp(value, "normal") == 0) {
+		lxc_conf->umask = 0022;
+		return 0;
+	} else if (strcmp(value, "secure") == 0) {
+		lxc_conf->umask = 0027;
+		return 0;
+	} else {
+		ERROR("Invalid native umask: %s", value);
+		return -1;
+	}
+}
+
+/* isulad add: get umask value*/
+static int get_config_umask(const char *key, char *retv, int inlen,
+			      struct lxc_conf *c, void *data)
+{
+	return lxc_get_conf_size_t(c, retv, inlen, c->umask);
+}
+
+/* isulad add: clear umask value */
+static inline int clr_config_umask(const char *key, struct lxc_conf *c,
+				     void *data)
+{
+	c->umask = 0027;
+	return 0;
+}
+
 #endif
-- 
1.8.3.1