Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

'process/user/umask' from the OCI runtime spec not honoured #11022

Closed
BinaryKhaos opened this issue Oct 11, 2024 · 2 comments · Fixed by #11024
Closed

'process/user/umask' from the OCI runtime spec not honoured #11022

BinaryKhaos opened this issue Oct 11, 2024 · 2 comments · Fixed by #11024
Labels
type: bug Something isn't working

Comments

@BinaryKhaos
Copy link

Description

The OCI runtime spec defines an optional value 'process/user/umask' that allows setting the umask for the newly started process in the container. It is honoured by crun and runc, for example, but not by runsc.

Steps to reproduce

  1. podman run --rm --runtime=runsc --umask=0027 alpine:latest /bin/sh -c umask
    0022

  2. podman run --rm --runtime=runc --umask=0027 alpine:latest /bin/sh -c umask
    0027

  3. podman run --rm --runtime=crun --umask=0027 alpine:latest /bin/sh -c umask
    0027

runsc version

runsc version release-20241007.0
spec: 1.1.0-rc.1

docker version (if using docker)

No response

uname

Linux TARDIS 6.11.3-gentoo-241010-r1 #1 SMP PREEMPT_DYNAMIC Thu Oct 10 16:36:50 CEST 2024 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response
@BinaryKhaos BinaryKhaos added the type: bug Something isn't working label Oct 11, 2024
copybara-service bot pushed a commit that referenced this issue Oct 11, 2024
@ayushr2 @gvisor-bot
Add support for spec.Process.User.Umask.
9798acb 
If this field is specified, then initialize kernel.CreateProcessArgs.Umask with
it. Otherwise default to 0022.

Fixes #11022

PiperOrigin-RevId: 684900616
@copybara-service copybara-service bot mentioned this issue Oct 11, 2024
Merged
@ayushr2
Copy link
Collaborator

ayushr2 commented Oct 11, 2024

#11024 should fix this. I tested your reproducer locally.

copybara-service bot pushed a commit that referenced this issue Oct 11, 2024
@ayushr2 @gvisor-bot
Add support for spec.Process.User.Umask.
05adabe 
If this field is specified, then initialize kernel.CreateProcessArgs.Umask with
it. Otherwise default to 0022.

Fixes #11022

PiperOrigin-RevId: 684900616
copybara-service bot pushed a commit that referenced this issue Oct 11, 2024
@ayushr2 @gvisor-bot
Add support for spec.Process.User.Umask.
a11af7d 
If this field is specified, then initialize kernel.CreateProcessArgs.Umask with
it. Otherwise default to 0022.

Fixes #11022

PiperOrigin-RevId: 684900616
@BinaryKhaos
Copy link
Author

Thanks, very much appreciated. Can confirm, latest nightly works like a charm and also fixes a crash I was seeing with the KVM platform on Linux.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for spec.Process.User.Umask. google/gvisor
2 participants
@BinaryKhaos @ayushr2