From e1bf4afdac0f4e1c19ad24c7c9fb915ce72906ed Mon Sep 17 00:00:00 2001 From: LiFeng Date: Sat, 11 Apr 2020 17:24:47 +0800 Subject: [PATCH 04/49] confile: add support umask lxc.isulad.umask=normal make the container umask to 0022 lxc.isulad.umask=secure make the container umask to 0027 (default) Signed-off-by: LiFeng --- src/lxc/attach.c | 5 +++++ src/lxc/conf.c | 6 ++++++ src/lxc/conf.h | 1 + src/lxc/confile.c | 38 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 50 insertions(+) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 406b8ec..56d62ed 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -659,6 +659,11 @@ static int attach_child_main(struct attach_clone_payload *payload) (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label; +#ifdef HAVE_ISULAD + /*isulad: set system umask */ + umask(init_ctx->container->lxc_conf->umask); +#endif + /* A description of the purpose of this functionality is provided in the * lxc-attach(1) manual page. We have to remount here and not in the * parent process, otherwise /proc may not properly reflect the new pid diff --git a/src/lxc/conf.c b/src/lxc/conf.c index e9c0a37..e3fce51 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2567,6 +2567,7 @@ struct lxc_conf *lxc_conf_init(void) #ifdef HAVE_ISULAD /* isulad add begin */ lxc_list_init(&new->populate_devs); + new->umask = 0027; /*default umask 0027*/ #endif return new; @@ -3522,6 +3523,11 @@ int lxc_setup(struct lxc_handler *handler) if (ret < 0) return -1; +#ifdef HAVE_ISULAD + /*isulad: set system umask */ + umask(lxc_conf->umask); +#endif + ret = setup_personality(lxc_conf->personality); if (ret < 0) return log_error(-1, "Failed to set personality"); diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 452458c..7ed3cd0 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -427,6 +427,7 @@ struct lxc_conf { /* populate devices*/ struct lxc_list populate_devs; + mode_t umask; //umask value #endif }; diff --git a/src/lxc/confile.c b/src/lxc/confile.c index f0772f9..2df269a 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -150,6 +150,7 @@ lxc_config_define(proc); #ifdef HAVE_ISULAD lxc_config_define(init_args); lxc_config_define(populate_device); +lxc_config_define(umask); #endif /* @@ -266,6 +267,7 @@ static struct lxc_config_t config_jump_table[] = { #ifdef HAVE_ISULAD { "lxc.isulad.init.args", set_config_init_args, get_config_init_args, clr_config_init_args, }, { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, + { "lxc.isulad.umask", set_config_umask, get_config_umask, clr_config_umask, }, #endif }; @@ -6273,4 +6275,40 @@ static inline int clr_config_populate_device(const char *key, struct lxc_conf *c return lxc_clear_populate_devices(c); } +/* isulad: set config for umask */ +static int set_config_umask(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) +{ + if (lxc_config_value_empty(value)) { + ERROR("Empty umask"); + return -1; + } + + if (strcmp(value, "normal") == 0) { + lxc_conf->umask = 0022; + return 0; + } else if (strcmp(value, "secure") == 0) { + lxc_conf->umask = 0027; + return 0; + } else { + ERROR("Invalid native umask: %s", value); + return -1; + } +} + +/* isulad add: get umask value*/ +static int get_config_umask(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) +{ + return lxc_get_conf_size_t(c, retv, inlen, c->umask); +} + +/* isulad add: clear umask value */ +static inline int clr_config_umask(const char *key, struct lxc_conf *c, + void *data) +{ + c->umask = 0027; + return 0; +} + #endif -- 1.8.3.1