linux: force umask(0)

it ensures that the `mknodat` syscall is not affected by the umask of the calling process, allowing file permissions to be set as specified in the OCI configuration. Closes: containers#1389 Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe · Jan 18, 2024 · 87740ce · 87740ce
1 parent 513c683
commit 87740ce
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 2 deletions.
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -2351,6 +2351,8 @@ libcrun_container_run_internal (libcrun_container_t *container, libcrun_context_
   if (UNLIKELY (ret < 0))
     return ret;
 
+  umask (0);
+
   if (def->linux && (def->linux->seccomp || seccomp_bpf_data))
     {
       unsigned int seccomp_gen_options = 0;

diff --git a/tests/test_devices.py b/tests/test_devices.py
@@ -18,6 +18,41 @@
 import os
 from tests_utils import *
 
+def test_mode_device():
+    if is_rootless():
+        return 77
+
+    # verify the umask doesn't affect the result
+    os.umask(0o22)
+
+    for have_userns in [True, False]:
+        conf = base_config()
+        add_all_namespaces(conf, userns=have_userns)
+        if have_userns:
+            fullMapping = [
+                {
+                    "containerID": 0,
+                    "hostID": 0,
+                    "size": 4294967295
+                }
+            ]
+            conf['linux']['uidMappings'] = fullMapping
+            conf['linux']['gidMappings'] = fullMapping
+
+        conf['process']['args'] = ['/init', 'mode', '/dev/foo']
+        conf['linux']['devices'] = [{"path": "/dev/foo", "type": "b", "major": 1, "minor": 5, "uid": 10, "gid": 11, "fileMode": 0o157},]
+        try:
+            expected = "157"
+            out = run_and_get_output(conf)
+            if expected not in out[0]:
+                sys.stderr.write("wrong file mode, found %s instead of %s with userns=%s" % (out[0], expected, have_userns))
+                return True
+            return False
+        except Exception as e:
+            print(e)
+            return -1
+    return 0
+
 def test_owner_device():
     if is_rootless():
         return 77
@@ -186,6 +221,7 @@ def test_mknod_device():
     "allow-device" : test_allow_device,
     "allow-access" : test_allow_access,
     "mknod-device" : test_mknod_device,
+    "mode-device"  : test_mode_device,
     "create-or-bind-mount-device" : test_create_or_bind_mount_device,
 }
 

diff --git a/tests/tests_utils.py b/tests/tests_utils.py
@@ -22,6 +22,8 @@
 import tempfile
 import subprocess
 
+default_umask = 0o22
+
 base_conf = """
 {
     "ociVersion": "1.0.0",
@@ -285,11 +287,13 @@ def run_and_get_output(config, detach=False, preserve_fds=None, pid_file=None,
     if use_popen:
         if not stdout:
             stdout=subprocess.PIPE
-        return subprocess.Popen(args, cwd=temp_dir, stdout=stdout,
+        return subprocess.Popen(args, cwd=temp_dir,
+                                umask=default_umask,
+                                stdout=stdout,
                                 stderr=stderr, stdin=stdin, env=env,
                                 close_fds=False), id_container
     else:
-        return subprocess.check_output(args, cwd=temp_dir, stderr=stderr, env=env, close_fds=False).decode(), id_container
+        return subprocess.check_output(args, cwd=temp_dir, stderr=stderr, env=env, close_fds=False, umask=default_umask).decode(), id_container
 
 def run_crun_command(args):
     root = get_tests_root_status()