From adc7d9f0da58589a85d278b2b0e92b8cd55cb99a Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Tue, 17 Jan 2017 01:19:34 +0000 Subject: [PATCH 1/2] nspawn: change owner/group of /run/systemd/nspawn/notify to userns-root Fixes #4944 --- src/nspawn/nspawn.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 78ae2f4a0f..532be148a6 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2363,6 +2363,12 @@ static int setup_sd_notify_child(void) { return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path); } + r = userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH, 0, 0); + if (r < 0) { + safe_close(fd); + return log_error_errno(r, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH ": %m"); + } + r = setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)); if (r < 0) { safe_close(fd); From 9bcef20646b6313e42f8ccd1b1b554553bb364c9 Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Tue, 17 Jan 2017 01:37:05 +0000 Subject: [PATCH 2/2] tests: check that we can write to /run/systemd/nspawn/notify See https://github.com/systemd/systemd/issues/4944 --- test/TEST-13-NSPAWN-SMOKE/test.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/TEST-13-NSPAWN-SMOKE/test.sh b/test/TEST-13-NSPAWN-SMOKE/test.sh index b8b8ec34bd..75b99236a3 100755 --- a/test/TEST-13-NSPAWN-SMOKE/test.sh +++ b/test/TEST-13-NSPAWN-SMOKE/test.sh @@ -43,6 +43,9 @@ test_setup() { cp create-busybox-container $initdir/ + ./create-busybox-container $initdir/nc-container + initdir="$initdir/nc-container" dracut_install nc + # setup the testsuite service cat >$initdir/etc/systemd/system/testsuite.service <&2 @@ -123,6 +133,8 @@ function run { check_bind_tmp_path +check_notification_socket + for api_vfs_writable in yes no network; do run no no $api_vfs_writable run yes no $api_vfs_writable