Add --umask flag for create, run

--umask sets the umask inside the container
Defaults to 0022

Co-authored-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Ashley Cui <acui@redhat.com>

6 files changed, 40 insertions, 0 deletions

diff --git a/libpod/container.go b/libpod/container.go
index fda018640..8a69df685 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -437,6 +437,9 @@ type ContainerConfig struct {
 	// Timezone is the timezone inside the container.
 	// Local means it has the same timezone as the host machine
 	Timezone string `json:"timezone,omitempty"`
+
+	// Umask is the umask inside the container.
+	Umask string `json:"umask,omitempty"`
 }
 
 // ContainerNamedVolume is a named volume that will be mounted into the
@@ -1276,5 +1279,8 @@ func (c *Container) AutoRemove() bool {
 
 func (c *Container) Timezone() string {
 	return c.config.Timezone
+}
 
+func (c *Container) Umask() string {
+	return c.config.Umask
 }
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index 680776dba..a0d223c8c 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -325,6 +325,14 @@ func (c *Container) generateInspectContainerConfig(spec *spec.Spec) *define.Insp
 
 	ctrConfig.Timezone = c.config.Timezone
 
+	// Pad Umask to 4 characters
+	if len(c.config.Umask) < 4 {
+		pad := strings.Repeat("0", 4-len(c.config.Umask))
+		ctrConfig.Umask = pad + c.config.Umask
+	} else {
+		ctrConfig.Umask = c.config.Umask
+	}
+
 	return ctrConfig
 }
 
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 1c21f2ff9..edea62a0d 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -355,6 +355,14 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		g.SetProcessGID(uint32(execUser.Gid))
 	}
 
+	if c.config.Umask != "" {
+		decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Invalid Umask Value")
+		}
+		g.SetProcessUmask(uint32(decVal))
+	}
+
 	// Add addition groups if c.config.GroupAdd is not empty
 	if len(c.config.Groups) > 0 {
 		gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides)
diff --git a/libpod/define/config.go b/libpod/define/config.go
index 64b24d9e2..6c426f2ec 100644
--- a/libpod/define/config.go
+++ b/libpod/define/config.go
@@ -20,6 +20,8 @@ var (
 	NameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.-]*$")
 	// RegexError is thrown in presence of an invalid container/pod name.
 	RegexError = errors.Wrapf(ErrInvalidArg, "names must match [a-zA-Z0-9][a-zA-Z0-9_.-]*")
+	// UmaskRegex is a regular expression to validate Umask.
+	UmaskRegex = regexp.MustCompile(`^[0-7]{1,4}$`)
 )
 
 const (
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index fbd9da3e7..a08cb3de6 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -61,6 +61,8 @@ type InspectContainerConfig struct {
 	// systemd mode, the container configuration is customized to optimize
 	// running systemd in the container.
 	SystemdMode bool `json:"SystemdMode,omitempty"`
+	// Umask is the umask inside the container.
+	Umask string `json:"Umask,omitempty"`
 }
 
 // InspectRestartPolicy holds information about the container's restart policy.
diff --git a/libpod/options.go b/libpod/options.go
index 40cf452db..41b0d7212 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1607,6 +1607,20 @@ func WithTimezone(path string) CtrCreateOption {
 	}
 }
 
+// WithUmask sets the umask in the container
+func WithUmask(umask string) CtrCreateOption {
+	return func(ctr *Container) error {
+		if ctr.valid {
+			return define.ErrCtrFinalized
+		}
+		if !define.UmaskRegex.MatchString(umask) {
+			return errors.Wrapf(define.ErrInvalidArg, "Invalid umask string %s", umask)
+		}
+		ctr.config.Umask = umask
+		return nil
+	}
+}
+
 // Pod Creation Options
 
 // WithPodName sets the name of the pod.