Adding Umask= key to Quadlet .container files.

containers · Feb 11, 2025 · 1fb356a · 1fb356a
1 parent 2e36bc0
commit 1fb356a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 0 deletions.
diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
@@ -351,6 +351,7 @@ Valid options for `[Container]` are listed below:
 | Tmpfs=/work                          | --tmpfs /work                                        |
 | UIDMap=0:10000:10                    | --uidmap=0:10000:10                                  |
 | Ulimit=nofile=1000:10000             | --ulimit nofile=1000:10000                           |
+| Umask=0002                           | --umask=0002                                         |
 | Unmask=ALL                           | --security-opt unmask=ALL                            |
 | User=bin                             | --user bin                                           |
 | UserNS=keep-id:uid=200,gid=210       | --userns keep-id:uid=200,gid=210                     |
@@ -894,6 +895,15 @@ Ulimit options. Sets the ulimits values inside of the container.
 
 This key can be listed multiple times.
 
+### `Umask=`
+
+Set the umask of the process. This is equivalent to the Podman `--umask` and generally has the form `[UMASK]`
+
+Example:
+```
+Umask=0002
+```
+
 ### `Unmask=`
 
 Specify the paths to unmask separated by a colon. unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*):

diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
@@ -168,6 +168,7 @@ const (
 	KeyType                  = "Type"
 	KeyUIDMap                = "UIDMap"
 	KeyUlimit                = "Ulimit"
+	KeyUmask                 = "Umask"
 	KeyUnmask                = "Unmask"
 	KeyUser                  = "User"
 	KeyUserNS                = "UserNS"
@@ -277,6 +278,7 @@ var (
 		KeyTmpfs:                 true,
 		KeyUIDMap:                true,
 		KeyUlimit:                true,
+		KeyUmask:                 true,
 		KeyUnmask:                true,
 		KeyUser:                  true,
 		KeyUserNS:                true,
@@ -635,6 +637,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool, unitsInfoMap map[
 		KeyStopSignal:  "--stop-signal",
 		KeyStopTimeout: "--stop-timeout",
 		KeyPull:        "--pull",
+		KeyUmask:       "--umask",
 	}
 	lookupAndAddString(container, ContainerGroup, stringKeys, podman)
 
@@ -2220,3 +2223,4 @@ func addDefaultDependencies(service *parser.UnitFile, isUser bool) {
 		service.PrependUnitLine(UnitGroup, "Wants", networkUnit)
 	}
 }
+
diff --git a/test/e2e/quadlet/umask.container b/test/e2e/quadlet/umask.container
@@ -0,0 +1,5 @@
+## assert-podman-args "--umask" "0002"
+
+[Container]
+Image=localhost/imagename
+Umask=0002
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
@@ -910,6 +910,7 @@ BOGUS=foo
 		Entry("sysctl.container", "sysctl.container"),
 		Entry("timezone.container", "timezone.container"),
 		Entry("ulimit.container", "ulimit.container"),
+                Entry("umask.container", "umask.container")
 		Entry("unmask.container", "unmask.container"),
 		Entry("user.container", "user.container"),
 		Entry("userns.container", "userns.container"),