linux: create the notify socket one level below

so there is no risk of overriding another existing mount. If NOTIFY_SOCKET=/run/foo/bar the notify socket will be mounted at /run/foo/bar/notify in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
containers · Jun 29, 2020 · c04fd15 · c04fd15
1 parent 3cd4f0c
commit c04fd15
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 17 deletions.
diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -562,7 +562,7 @@ do_hooks (runtime_spec_schema_config_schema *def,
 /* Initialize the environment where the container process runs.
    It is used by the container init process.  */
 static int
-container_init_setup (void *args, const char *notify_socket,
+container_init_setup (void *args, char *notify_socket,
                       int sync_socket, const char **exec_path,
                       libcrun_error_t *err)
 {
@@ -769,10 +769,8 @@ container_init_setup (void *args, const char *notify_socket,
 
   if (notify_socket)
     {
-      char *notify_socket_env;
-      xasprintf (&notify_socket_env, "NOTIFY_SOCKET=%s", notify_socket);
-      if (putenv (notify_socket_env) < 0)
-        return crun_make_error (err, errno, "putenv `%s`", notify_socket_env);
+      if (putenv (notify_socket) < 0)
+        return crun_make_error (err, errno, "putenv `%s`", notify_socket);
     }
 
   return 0;
@@ -806,13 +804,14 @@ int open_hooks_output (libcrun_container_t *container, int *out_fd, int *err_fd,
 
 /* Entrypoint to the container.  */
 static int
-container_init (void *args, const char *notify_socket, int sync_socket,
+container_init (void *args, char *notify_socket, int sync_socket,
                 libcrun_error_t *err)
 {
   struct container_entrypoint_s *entrypoint_args = args;
   int ret;
   runtime_spec_schema_config_schema *def = entrypoint_args->container->container_def;
   cleanup_free const char *exec_path = NULL;
+  cleanup_free char *notify_socket_cleanup = notify_socket;
 
   entrypoint_args->sync_socket = sync_socket;
 

diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -1606,7 +1606,7 @@ do_notify_socket (libcrun_container_t *container, const char *rootfs, libcrun_er
   if (notify_socket == NULL)
     return 0;
 
-  xasprintf (&container_notify_socket_path, "%s%s", rootfs, notify_socket);
+  xasprintf (&container_notify_socket_path, "%s%s/notify", rootfs, notify_socket);
   xasprintf (&host_notify_socket_path, "%s/notify", state_dir);
 
   ret = mkdir (host_notify_socket_path, 0700);
@@ -3112,7 +3112,7 @@ libcrun_run_linux_container (libcrun_container_t *container,
    __attribute__((cleanup (cleanup_free_init_statusp))) struct init_status_s init_status;
   runtime_spec_schema_config_schema *def = container->container_def;
   cleanup_close int sync_socket_container = -1;
-  cleanup_free char *notify_socket_env = NULL;
+  char *notify_socket_env = NULL;
   cleanup_close int sync_socket_host = -1;
   bool clone_can_create_userns;
   int sync_socket[2];
@@ -3304,11 +3304,7 @@ libcrun_run_linux_container (libcrun_container_t *container,
 
   /* Jump into the specified entrypoint.  */
   if (container->context->notify_socket)
-    {
-      cleanup_free char *tmp = xstrdup (container->context->notify_socket);
-      char *dir = dirname (tmp);
-      xasprintf (&notify_socket_env, "%s/notify", dir);
-    }
+    xasprintf (&notify_socket_env, "NOTIFY_SOCKET=%s/notify", container->context->notify_socket);
 
   entrypoint (args, notify_socket_env, sync_socket_container, err);
 

diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h
@@ -27,7 +27,7 @@
 # include "container.h"
 # include "status.h"
 
-typedef int (*container_entrypoint_t) (void *args, const char *notify_socket,
+typedef int (*container_entrypoint_t) (void *args, char *notify_socket,
                                        int sync_socket,
                                        libcrun_error_t *err);
 

diff --git a/tests/test_start.py b/tests/test_start.py
@@ -68,15 +68,15 @@ def test_sd_notify():
     env["NOTIFY_SOCKET"] = "/run/notify/the-socket"
     try:
         out, cid = run_and_get_output(conf, env=env, command='run')
-        if "/run/notify" not in str(out):
+        if "/run/notify/the-socket" not in str(out):
             return -1
     except:
         return -1
     return 0
 
 def test_sd_notify_file():
     conf = base_config()
-    conf['process']['args'] = ['/init', 'ls', '/tmp/parent-dir']
+    conf['process']['args'] = ['/init', 'ls', '/tmp/parent-dir/the-socket/']
     add_all_namespaces(conf)
     env = dict(os.environ)
     env["NOTIFY_SOCKET"] = "/tmp/parent-dir/the-socket"
@@ -96,7 +96,7 @@ def test_sd_notify_env():
     env["NOTIFY_SOCKET"] = "/tmp/parent-dir/the-socket"
     try:
         out, cid = run_and_get_output(conf, env=env, command='run')
-        if "/tmp/parent-dir/notify" not in str(out):
+        if "/tmp/parent-dir/the-socket/notify" not in str(out):
             return -1
     except:
         return -1