From 7a9ffa897f1a9c1e4bac6bd9b5986696e77348ef Mon Sep 17 00:00:00 2001
From: Joe Burianek <joe.burianek@pantheon.io>
Date: Tue, 7 May 2019 11:28:49 -0500
Subject: [PATCH] Change the permissions of the notify listener socket to rwx
 for everyone

When runc is started as a `Type=notify` systemd service,
runc opens up its own listening socket inside the container
to act as a proxy between the container and systemd for passing
notify messages.

The domain socket that runc creates is only writeable by the user
running runc however, so if the container has a different UID/GID
then nothing inside the container will be able to write to the socket.

The fix is to change the permissions of the notify listener socket to 0777.

Signed-off-by: Joe Burianek <joe.burianek@pantheon.io>
---
 notify_socket.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/notify_socket.go b/notify_socket.go
index b890b5b1c1a..e7453c62220 100644
--- a/notify_socket.go
+++ b/notify_socket.go
@@ -6,6 +6,7 @@ import (
 	"bytes"
 	"fmt"
 	"net"
+	"os"
 	"path/filepath"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -60,6 +61,12 @@ func (s *notifySocket) setupSocket() error {
 		return err
 	}
 
+	err = os.Chmod(s.socketPath, 0777)
+	if err != nil {
+		socket.Close()
+		return err
+	}
+
 	s.socket = socket
 	return nil
 }