147 lines
4.5 KiB
Diff
147 lines
4.5 KiB
Diff
From 2946339a18ea794a8a4637353ea5c30045131bba Mon Sep 17 00:00:00 2001
|
|
From: LiFeng <lifeng68@huawei.com>
|
|
Date: Wed, 30 Jan 2019 03:39:42 -0500
|
|
Subject: [PATCH 057/139] confile: add support umask
|
|
|
|
lxc.isulad.umask=normal make the container umask to 0022
|
|
lxc.isulad.umask=secure make the container umask to 0027 (default)
|
|
|
|
Signed-off-by: LiFeng <lifeng68@huawei.com>
|
|
---
|
|
src/lxc/attach.c | 4 ++--
|
|
src/lxc/conf.c | 5 +++--
|
|
src/lxc/conf.h | 1 +
|
|
src/lxc/confile.c | 38 ++++++++++++++++++++++++++++++++++++++
|
|
4 files changed, 44 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
|
|
index b44ea74..9768897 100644
|
|
--- a/src/lxc/attach.c
|
|
+++ b/src/lxc/attach.c
|
|
@@ -768,8 +768,8 @@ static int attach_child_main(struct attach_clone_payload *payload)
|
|
msg_fd = init_ctx->container->lxc_conf->errpipe[1];
|
|
init_ctx->container->lxc_conf->errpipe[1] = -1;
|
|
|
|
- /*isulad: set system umask 0027 for safe control */
|
|
- umask(0027);
|
|
+ /*isulad: set system umask */
|
|
+ umask(init_ctx->container->lxc_conf->umask);
|
|
|
|
/*isulad: restore default signal handlers and unblock all signals*/
|
|
for (i = 1; i < NSIG; i++)
|
|
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
|
|
index 0c6aa28..67beefe 100644
|
|
--- a/src/lxc/conf.c
|
|
+++ b/src/lxc/conf.c
|
|
@@ -3163,6 +3163,7 @@ struct lxc_conf *lxc_conf_init(void)
|
|
new->errmsg = NULL;
|
|
new->errpipe[0] = -1;
|
|
new->errpipe[1] = -1;
|
|
+ new->umask = 0027; /*default umask 0027*/
|
|
/* isulad add end */
|
|
|
|
return new;
|
|
@@ -4216,8 +4217,8 @@ int lxc_setup(struct lxc_handler *handler)
|
|
}
|
|
}
|
|
|
|
- /*isulad: set system umask 0027 for safe control*/
|
|
- umask(0027);
|
|
+ /*isulad: set system umask */
|
|
+ umask(lxc_conf->umask);
|
|
|
|
ret = setup_personality(lxc_conf->personality);
|
|
if (ret < 0) {
|
|
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
|
|
index 88f5b41..93cf15d 100644
|
|
--- a/src/lxc/conf.h
|
|
+++ b/src/lxc/conf.h
|
|
@@ -427,6 +427,7 @@ struct lxc_conf {
|
|
|
|
char *errmsg; /* record error messages */
|
|
int errpipe[2];//pipdfd for get error message of child or grandchild process.
|
|
+ mode_t umask; //umask value
|
|
/* isulad add end */
|
|
};
|
|
|
|
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
|
|
index f66d01b..3940b32 100644
|
|
--- a/src/lxc/confile.c
|
|
+++ b/src/lxc/confile.c
|
|
@@ -155,6 +155,7 @@ lxc_config_define(proc);
|
|
/*isulad add begin*/
|
|
lxc_config_define(init_args);
|
|
lxc_config_define(populate_device);
|
|
+lxc_config_define(umask);
|
|
/*isulad add end*/
|
|
|
|
|
|
@@ -247,6 +248,7 @@ static struct lxc_config_t config_jump_table[] = {
|
|
{ "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, },
|
|
{ "lxc.isulad.rootfs.maskedpaths", set_config_rootfs_masked_paths, get_config_rootfs_masked_paths, clr_config_rootfs_masked_paths, },
|
|
{ "lxc.isulad.rootfs.ropaths", set_config_rootfs_ro_paths, get_config_rootfs_ro_paths, clr_config_rootfs_ro_paths, },
|
|
+ { "lxc.isulad.umask", set_config_umask, get_config_umask, clr_config_umask, },
|
|
/*isulad add end*/
|
|
};
|
|
|
|
@@ -2371,6 +2373,27 @@ on_error:
|
|
|
|
}
|
|
|
|
+/* isulad: set config for umask */
|
|
+static int set_config_umask(const char *key, const char *value,
|
|
+ struct lxc_conf *lxc_conf, void *data)
|
|
+{
|
|
+ if (lxc_config_value_empty(value)) {
|
|
+ ERROR("Empty umask");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (strcmp(value, "normal") == 0) {
|
|
+ lxc_conf->umask = 0022;
|
|
+ return 0;
|
|
+ } else if (strcmp(value, "secure") == 0) {
|
|
+ lxc_conf->umask = 0027;
|
|
+ return 0;
|
|
+ } else {
|
|
+ ERROR("Invalid native umask: %s", value);
|
|
+ return -1;
|
|
+ }
|
|
+}
|
|
+
|
|
struct parse_line_conf {
|
|
struct lxc_conf *conf;
|
|
bool from_include;
|
|
@@ -3141,6 +3164,13 @@ static int get_config_tty_max(const char *key, char *retv, int inlen,
|
|
return lxc_get_conf_size_t(c, retv, inlen, c->ttys.max);
|
|
}
|
|
|
|
+/* isulad add: get umask value*/
|
|
+static int get_config_umask(const char *key, char *retv, int inlen,
|
|
+ struct lxc_conf *c, void *data)
|
|
+{
|
|
+ return lxc_get_conf_size_t(c, retv, inlen, c->umask);
|
|
+}
|
|
+
|
|
static int get_config_tty_dir(const char *key, char *retv, int inlen,
|
|
struct lxc_conf *c, void *data)
|
|
{
|
|
@@ -4396,6 +4426,14 @@ static int clr_config_namespace_share(const char *key,
|
|
return 0;
|
|
}
|
|
|
|
+/* isulad add: clear umask value */
|
|
+static inline int clr_config_umask(const char *key, struct lxc_conf *c,
|
|
+ void *data)
|
|
+{
|
|
+ c->umask = 0027;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
static int get_config_includefiles(const char *key, char *retv, int inlen,
|
|
struct lxc_conf *c, void *data)
|
|
{
|
|
--
|
|
1.8.3.1
|
|
|