Skip to content
Permalink
Browse files

Change the permissions of the notify listener socket to rwx for everyone

When runc is started as a `Type=notify` systemd service,
runc opens up its own listening socket inside the container
to act as a proxy between the container and systemd for passing
notify messages.

The domain socket that runc creates is only writeable by the user
running runc however, so if the container has a different UID/GID
then nothing inside the container will be able to write to the socket.

The fix is to change the permissions of the notify listener socket to 0777.

Signed-off-by: Joe Burianek <joe.burianek@pantheon.io>
  • Loading branch information...
jburianek committed May 7, 2019
1 parent 70bc4cd commit 7a9ffa897f1a9c1e4bac6bd9b5986696e77348ef
Showing with 7 additions and 0 deletions.
  1. +7 −0 notify_socket.go
@@ -6,6 +6,7 @@ import (
"bytes"
"fmt"
"net"
"os"
"path/filepath"

"github.com/opencontainers/runtime-spec/specs-go"
@@ -60,6 +61,12 @@ func (s *notifySocket) setupSocket() error {
return err
}

err = os.Chmod(s.socketPath, 0777)
if err != nil {
socket.Close()
return err
}

s.socket = socket
return nil
}

0 comments on commit 7a9ffa8

Please sign in to comment.
You can’t perform that action at this time.