runc/patch/0033-runc-change-runc-default-umask-to-027.patch

From 49ff7be84939cf93b8bf4861ddc783704fb3f50b Mon Sep 17 00:00:00 2001
From: dengguangxing <dengguangxing@huawei.com>
Date: Mon, 8 Jan 2018 10:35:34 +0800
Subject: [PATCH 33/94] runc: change runc default umask to 027

[Changelog]:change runc default umask to 027
change exec process default umask to 0027

Change-Id: Ia7ff0216adc17d61586954de83031be21ab88338
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
---
 libcontainer/rootfs_linux.go     | 2 +-
 libcontainer/setns_init_linux.go | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index d507373..1c93903 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -136,7 +136,7 @@ func finalizeRootfs(config *configs.Config) (err error) {
 		}
 	}
 
-	syscall.Umask(0022)
+	syscall.Umask(0027)
 	return nil
 }
 
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
index 48cc0ae..e8e969a 100644
--- a/libcontainer/setns_init_linux.go
+++ b/libcontainer/setns_init_linux.go
@@ -5,6 +5,7 @@ package libcontainer
 import (
 	"fmt"
 	"os"
+	"syscall"
 
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/keys"
@@ -40,6 +41,8 @@ func (l *linuxSetnsInit) Init() error {
 			return err
 		}
 	}
+	// set exec process umask to 0027 according to secure policy
+	syscall.Umask(0027)
 	if l.config.NoNewPrivileges {
 		if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
 			return err
-- 
2.7.4.3
runc: package init Signed-off-by: openeuler-iSula <isula@huawei.com> 2019-12-29 15:30:08 +08:00			`From 49ff7be84939cf93b8bf4861ddc783704fb3f50b Mon Sep 17 00:00:00 2001`
			`From: dengguangxing <dengguangxing@huawei.com>`
			`Date: Mon, 8 Jan 2018 10:35:34 +0800`
			`Subject: [PATCH 33/94] runc: change runc default umask to 027`

			`[Changelog]:change runc default umask to 027`
			`change exec process default umask to 0027`

			`Change-Id: Ia7ff0216adc17d61586954de83031be21ab88338`
			`Signed-off-by: dengguangxing <dengguangxing@huawei.com>`
			`---`
			`libcontainer/rootfs_linux.go \| 2 +-`
			`libcontainer/setns_init_linux.go \| 3 +++`
			`2 files changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go`
			`index d507373..1c93903 100644`
			`--- a/libcontainer/rootfs_linux.go`
			`+++ b/libcontainer/rootfs_linux.go`
			`@@ -136,7 +136,7 @@ func finalizeRootfs(config *configs.Config) (err error) {`
			`}`
			`}`

			`- syscall.Umask(0022)`
			`+ syscall.Umask(0027)`
			`return nil`
			`}`

			`diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go`
			`index 48cc0ae..e8e969a 100644`
			`--- a/libcontainer/setns_init_linux.go`
			`+++ b/libcontainer/setns_init_linux.go`
			`@@ -5,6 +5,7 @@ package libcontainer`
			`import (`
			`"fmt"`
			`"os"`
			`+ "syscall"`

			`"github.com/opencontainers/runc/libcontainer/apparmor"`
			`"github.com/opencontainers/runc/libcontainer/keys"`
			`@@ -40,6 +41,8 @@ func (l *linuxSetnsInit) Init() error {`
			`return err`
			`}`
			`}`
			`+ // set exec process umask to 0027 according to secure policy`
			`+ syscall.Umask(0027)`
			`if l.config.NoNewPrivileges {`
			`if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {`
			`return err`
			`--`
			`2.7.4.3`