Skip to content

Commit

Permalink
Change the permissions of the notify listener socket to rwx for everyone
Browse files Browse the repository at this point in the history 
When runc is started as a `Type=notify` systemd service,
runc opens up its own listening socket inside the container
to act as a proxy between the container and systemd for passing
notify messages.

The domain socket that runc creates is only writeable by the user
running runc however, so if the container has a different UID/GID
then nothing inside the container will be able to write to the socket.

The fix is to change the permissions of the notify listener socket to 0777.

Signed-off-by: Joe Burianek <joe.burianek@pantheon.io>
  • Loading branch information
Joe Burianek committed May 7, 2019
1 parent 70bc4cd commit 7a9ffa8
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions notify_socket.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"bytes"
"fmt"
"net"
"os"
"path/filepath"

"github.com/opencontainers/runtime-spec/specs-go"
Expand Down Expand Up @@ -60,6 +61,12 @@ func (s *notifySocket) setupSocket() error {
return err
}

err = os.Chmod(s.socketPath, 0777)
if err != nil {
socket.Close()
return err
}

s.socket = socket
return nil
}
Expand Down

0 comments on commit 7a9ffa8

Please sign in to comment.