github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

v2 runtime: reduce permissions for bundle dir

Browse Source 
Bundle directory permissions should be 0700 by default.  On Linux with
user namespaces enabled, the remapped root also needs access to the
bundle directory.  In this case, the bundle directory is modified to
0710 and group ownership is changed to the remapped root group.

Signed-off-by: Samuel Karp <skarp@amazon.com>
This commit is contained in:
Samuel Karp
2021-09-20 16:20:26 -07:00
parent 483e23bdcd
commit 7d56b24f1a
5 changed files with 270 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
runtime/v2/bundle.go
View File

@@ -72,7 +72,10 @@ func NewBundle(ctx context.Context, root, state, id string, spec []byte) (b *Bun
if err := os.MkdirAll(filepath.Dir(b.Path), 0711); err != nil {
return nil, err
}
if err := os.Mkdir(b.Path, 0711); err != nil {
if err := os.Mkdir(b.Path, 0700); err != nil {
return nil, err
}
if err := prepareBundleDirectoryPermissions(b.Path, spec); err != nil {
return nil, err
}
paths = append(paths, b.Path)