jail: read and apply umask from OCI if defined

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index 287307f602d08cdb5b04ba6336d038c7fab5ae5b..522d1390d36dbe618d60146ad9c014c3f1207e57 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -94,6 +94,8 @@ static struct {
        int gr_gid;
        gid_t *additional_gids;
        size_t num_additional_gids;
+       mode_t umask;
+       bool set_umask;
        int require_jail;
        struct {
                struct hook_execvpe **createRuntime;
@@ -875,6 +877,9 @@ static int exec_jail(void *pipes_ptr)
                exit(EXIT_FAILURE);
        }
 
+       if (opts.set_umask)
+               umask(opts.umask);
+
        if (applyOCIcapabilities(opts.capset))
                exit(EXIT_FAILURE);
 
@@ -1267,7 +1272,10 @@ static int parseOCIprocessuser(struct blob_attr *msg) {
                DEBUG("read %lu additional groups\n", gidcnt);
        }
 
-       /* ToDo: umask */
+       if (tb[OCI_PROCESS_USER_UMASK]) {
+               opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]);
+               opts.set_umask = true;
+       }
 
        return 0;
 }