diff options
| author | Djalal Harouni <tixxdz@opendz.org> | 2017-01-18 14:36:07 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-01-18 14:36:07 +0100 |
| commit | 0819dd72df6fc552ea5ca4ea948e4a3c1d2fe78f (patch) | |
| tree | 4e91e7cd5e5032caa9c90a7d8271378d65db1697 | |
| parent | 5b3637b44a28d3fb2ba8b272905c64d9dbae4d26 (diff) | |
| parent | 9bcef20646b6313e42f8ccd1b1b554553bb364c9 (diff) | |
Merge pull request #5098 from evverx/fix-nspawn-notifications
nspawn: change owner/group of /run/systemd/nspawn/notify to userns-root
| -rw-r--r-- | src/nspawn/nspawn.c | 6 | ||||
| -rwxr-xr-x | test/TEST-13-NSPAWN-SMOKE/test.sh | 12 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 78ae2f4a0f..532be148a6 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2363,6 +2363,12 @@ static int setup_sd_notify_child(void) { return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path); } + r = userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH, 0, 0); + if (r < 0) { + safe_close(fd); + return log_error_errno(r, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH ": %m"); + } + r = setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)); if (r < 0) { safe_close(fd); diff --git a/test/TEST-13-NSPAWN-SMOKE/test.sh b/test/TEST-13-NSPAWN-SMOKE/test.sh index b8b8ec34bd..75b99236a3 100755 --- a/test/TEST-13-NSPAWN-SMOKE/test.sh +++ b/test/TEST-13-NSPAWN-SMOKE/test.sh @@ -43,6 +43,9 @@ test_setup() { cp create-busybox-container $initdir/ + ./create-busybox-container $initdir/nc-container + initdir="$initdir/nc-container" dracut_install nc + # setup the testsuite service cat >$initdir/etc/systemd/system/testsuite.service <<EOF [Unit] @@ -91,6 +94,13 @@ function check_bind_tmp_path { systemd-nspawn --register=no -D "$_root" --bind=/tmp/bind /bin/sh -c 'test -e /tmp/bind' } +function check_notification_socket { + # https://github.com/systemd/systemd/issues/4944 + local _cmd='echo a | $(busybox which nc) -U -u -w 1 /run/systemd/nspawn/notify' + systemd-nspawn --register=no -D /nc-container /bin/sh -x -c "$_cmd" + systemd-nspawn --register=no -D /nc-container -U /bin/sh -x -c "$_cmd" +} + function run { if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2 @@ -123,6 +133,8 @@ function run { check_bind_tmp_path +check_notification_socket + for api_vfs_writable in yes no network; do run no no $api_vfs_writable run yes no $api_vfs_writable |