From aea3b96d55b9ecd541427ecf523f9300c1b64c8e Mon Sep 17 00:00:00 2001
From: Kathryn Baldauf <kabaldau@microsoft.com>
Date: Thu, 28 Oct 2021 15:40:29 -0700
Subject: [PATCH] Fix permissions issues with sandbox mounts

Signed-off-by: Kathryn Baldauf <kabaldau@microsoft.com>
---
 .../guest/runtime/hcsv2/workload_container.go    | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/internal/guest/runtime/hcsv2/workload_container.go b/internal/guest/runtime/hcsv2/workload_container.go
index 913552fc3d..712b00635c 100644
--- a/internal/guest/runtime/hcsv2/workload_container.go
+++ b/internal/guest/runtime/hcsv2/workload_container.go
@@ -40,7 +40,13 @@ func updateSandboxMounts(sbid string, spec *oci.Spec) error {
 
 			_, err := os.Stat(sandboxSource)
 			if os.IsNotExist(err) {
-				if err := os.MkdirAll(sandboxSource, 0755); err != nil {
+				// os.MkdirAll combines the given permissions with the running process's
+				// umask. By default this causes 0777 to become 0755.
+				// Temporarily set the umask of this process to 0 so that we can actually
+				// make all dirs with os.ModePerm permissions.
+				savedUmask := unix.Umask(0)
+				defer unix.Umask(savedUmask)
+				if err := os.MkdirAll(sandboxSource, os.ModePerm); err != nil {
 					return err
 				}
 			}
@@ -68,7 +74,13 @@ func updateHugePageMounts(sbid string, spec *oci.Spec) error {
 
 			_, err := os.Stat(hugePageMountSource)
 			if os.IsNotExist(err) {
-				if err := os.MkdirAll(hugePageMountSource, 0755); err != nil {
+				// os.MkdirAll combines the given permissions with the running process's
+				// umask. By default this causes 0777 to become 0755.
+				// Temporarily set the umask of this process to 0 so that we can actually
+				// make all dirs with os.ModePerm permissions.
+				savedUmask := unix.Umask(0)
+				defer unix.Umask(savedUmask)
+				if err := os.MkdirAll(hugePageMountSource, os.ModePerm); err != nil {
 					return err
 				}