Merge pull request #941 from cyphar/config-umask-option

config: add "umask" field to POSIX "user" section
opencontainers · Dec 17, 2019 · cd13d2d · cd13d2d
2 parents 19e92ca + 6b04c63
commit cd13d2d
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/config.md b/config.md
@@ -221,6 +221,7 @@ For POSIX platforms the `user` structure has the following fields:
 
 * **`uid`** (int, REQUIRED) specifies the user ID in the [container namespace](glossary.md#container-namespace).
 * **`gid`** (int, REQUIRED) specifies the group ID in the [container namespace](glossary.md#container-namespace).
+* **`umask`** (int, OPTIONAL) specifies the [umask][umask_2] of the user. If unspecified, the umask should not be changed from the calling process' umask.
 * **`additionalGids`** (array of ints, OPTIONAL) specifies additional group IDs in the [container namespace](glossary.md#container-namespace) to be added to the process.
 
 _Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
@@ -237,6 +238,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
     "user": {
         "uid": 1,
         "gid": 1,
+        "umask": 63,
         "additionalGids": [5, 6]
     },
     "env": [
@@ -295,6 +297,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
     "user": {
         "uid": 1,
         "gid": 1,
+        "umask": 7,
         "additionalGids": [2, 8]
     },
     "env": [
@@ -855,6 +858,7 @@ Here is a full example `config.json` for reference.
 [selinux]:http://selinuxproject.org/page/Main_Page
 [no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
 [proc_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt
+[umask.2]: http://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html
 [semver-v2.0.0]: http://semver.org/spec/v2.0.0.html
 [ieee-1003.1-2008-xbd-c8.1]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_01
 [ieee-1003.1-2008-functions-exec]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html

diff --git a/schema/config-schema.json b/schema/config-schema.json
@@ -92,6 +92,10 @@
                         "gid": {
                             "$ref": "defs.json#/definitions/GID"
                         },
+                        "umask": {
+                            "id": "https://opencontainers.org/schema/bundle/process/user/umask",
+                            "$ref": "defs.json#/definitions/Umask"
+                        },
                         "additionalGids": {
                             "$ref": "defs.json#/definitions/ArrayOfGIDs"
                         },

diff --git a/schema/defs.json b/schema/defs.json
@@ -60,6 +60,9 @@
         "GID": {
             "$ref": "#/definitions/uint32"
         },
+		"Umask": {
+            "$ref": "#/definitions/uint32"
+		},
         "ArrayOfGIDs": {
             "type": "array",
             "items": {

diff --git a/specs-go/config.go b/specs-go/config.go
@@ -89,6 +89,8 @@ type User struct {
 	UID uint32 `json:"uid" platform:"linux,solaris"`
 	// GID is the group id.
 	GID uint32 `json:"gid" platform:"linux,solaris"`
+	// Umask is the umask for the init process.
+	Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"`
 	// AdditionalGids are additional group ids set for the container's process.
 	AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
 	// Username is the user name.