53 lines
1.5 KiB
Diff
53 lines
1.5 KiB
Diff
From 49ff7be84939cf93b8bf4861ddc783704fb3f50b Mon Sep 17 00:00:00 2001
|
|
From: dengguangxing <dengguangxing@huawei.com>
|
|
Date: Mon, 8 Jan 2018 10:35:34 +0800
|
|
Subject: [PATCH 33/94] runc: change runc default umask to 027
|
|
|
|
[Changelog]:change runc default umask to 027
|
|
change exec process default umask to 0027
|
|
|
|
Change-Id: Ia7ff0216adc17d61586954de83031be21ab88338
|
|
Signed-off-by: dengguangxing <dengguangxing@huawei.com>
|
|
---
|
|
libcontainer/rootfs_linux.go | 2 +-
|
|
libcontainer/setns_init_linux.go | 3 +++
|
|
2 files changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
|
|
index d507373..1c93903 100644
|
|
--- a/libcontainer/rootfs_linux.go
|
|
+++ b/libcontainer/rootfs_linux.go
|
|
@@ -136,7 +136,7 @@ func finalizeRootfs(config *configs.Config) (err error) {
|
|
}
|
|
}
|
|
|
|
- syscall.Umask(0022)
|
|
+ syscall.Umask(0027)
|
|
return nil
|
|
}
|
|
|
|
diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
|
|
index 48cc0ae..e8e969a 100644
|
|
--- a/libcontainer/setns_init_linux.go
|
|
+++ b/libcontainer/setns_init_linux.go
|
|
@@ -5,6 +5,7 @@ package libcontainer
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
+ "syscall"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/apparmor"
|
|
"github.com/opencontainers/runc/libcontainer/keys"
|
|
@@ -40,6 +41,8 @@ func (l *linuxSetnsInit) Init() error {
|
|
return err
|
|
}
|
|
}
|
|
+ // set exec process umask to 0027 according to secure policy
|
|
+ syscall.Umask(0027)
|
|
if l.config.NoNewPrivileges {
|
|
if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
|
|
return err
|
|
--
|
|
2.7.4.3
|
|
|