From 5712305711a0f57d2d167b49da1093204abaffcd Mon Sep 17 00:00:00 2001 From: LiFeng Date: Wed, 30 Jan 2019 03:39:42 -0500 Subject: [PATCH 057/140] confile: add support umask lxc.isulad.umask=normal make the container umask to 0022 lxc.isulad.umask=secure make the container umask to 0027 (default) Signed-off-by: LiFeng --- src/lxc/attach.c | 4 ++-- src/lxc/conf.c | 5 +++-- src/lxc/conf.h | 1 + src/lxc/confile.c | 38 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 44 insertions(+), 4 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index b44ea74..9768897 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -768,8 +768,8 @@ static int attach_child_main(struct attach_clone_payload *payload) msg_fd = init_ctx->container->lxc_conf->errpipe[1]; init_ctx->container->lxc_conf->errpipe[1] = -1; - /*isulad: set system umask 0027 for safe control */ - umask(0027); + /*isulad: set system umask */ + umask(init_ctx->container->lxc_conf->umask); /*isulad: restore default signal handlers and unblock all signals*/ for (i = 1; i < NSIG; i++) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 0c6aa28..67beefe 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -3163,6 +3163,7 @@ struct lxc_conf *lxc_conf_init(void) new->errmsg = NULL; new->errpipe[0] = -1; new->errpipe[1] = -1; + new->umask = 0027; /*default umask 0027*/ /* isulad add end */ return new; @@ -4216,8 +4217,8 @@ int lxc_setup(struct lxc_handler *handler) } } - /*isulad: set system umask 0027 for safe control*/ - umask(0027); + /*isulad: set system umask */ + umask(lxc_conf->umask); ret = setup_personality(lxc_conf->personality); if (ret < 0) { diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 88f5b41..93cf15d 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -427,6 +427,7 @@ struct lxc_conf { char *errmsg; /* record error messages */ int errpipe[2];//pipdfd for get error message of child or grandchild process. + mode_t umask; //umask value /* isulad add end */ }; diff --git a/src/lxc/confile.c b/src/lxc/confile.c index f66d01b..3940b32 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -155,6 +155,7 @@ lxc_config_define(proc); /*isulad add begin*/ lxc_config_define(init_args); lxc_config_define(populate_device); +lxc_config_define(umask); /*isulad add end*/ @@ -247,6 +248,7 @@ static struct lxc_config_t config_jump_table[] = { { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, { "lxc.isulad.rootfs.maskedpaths", set_config_rootfs_masked_paths, get_config_rootfs_masked_paths, clr_config_rootfs_masked_paths, }, { "lxc.isulad.rootfs.ropaths", set_config_rootfs_ro_paths, get_config_rootfs_ro_paths, clr_config_rootfs_ro_paths, }, + { "lxc.isulad.umask", set_config_umask, get_config_umask, clr_config_umask, }, /*isulad add end*/ }; @@ -2371,6 +2373,27 @@ on_error: } +/* isulad: set config for umask */ +static int set_config_umask(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) +{ + if (lxc_config_value_empty(value)) { + ERROR("Empty umask"); + return -1; + } + + if (strcmp(value, "normal") == 0) { + lxc_conf->umask = 0022; + return 0; + } else if (strcmp(value, "secure") == 0) { + lxc_conf->umask = 0027; + return 0; + } else { + ERROR("Invalid native umask: %s", value); + return -1; + } +} + struct parse_line_conf { struct lxc_conf *conf; bool from_include; @@ -3141,6 +3164,13 @@ static int get_config_tty_max(const char *key, char *retv, int inlen, return lxc_get_conf_size_t(c, retv, inlen, c->ttys.max); } +/* isulad add: get umask value*/ +static int get_config_umask(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) +{ + return lxc_get_conf_size_t(c, retv, inlen, c->umask); +} + static int get_config_tty_dir(const char *key, char *retv, int inlen, struct lxc_conf *c, void *data) { @@ -4396,6 +4426,14 @@ static int clr_config_namespace_share(const char *key, return 0; } +/* isulad add: clear umask value */ +static inline int clr_config_umask(const char *key, struct lxc_conf *c, + void *data) +{ + c->umask = 0027; + return 0; +} + static int get_config_includefiles(const char *key, char *retv, int inlen, struct lxc_conf *c, void *data) { -- 1.8.3.1