Merge pull request #5098 from evverx/fix-nspawn-notifications

nspawn: change owner/group of /run/systemd/nspawn/notify to userns-root

src/nspawn/nspawn.c

@@ -2363,6 +2363,12 @@ static int setup_sd_notify_child(void) {
                 return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);
         }
 
+        r = userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH, 0, 0);
+        if (r < 0) {
+                safe_close(fd);
+                return log_error_errno(r, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH ": %m");
+        }
+
         r = setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
         if (r < 0) {
                 safe_close(fd);

test/TEST-13-NSPAWN-SMOKE/test.sh

@@ -43,6 +43,9 @@ test_setup() {
 
         cp create-busybox-container $initdir/
 
+        ./create-busybox-container $initdir/nc-container
+        initdir="$initdir/nc-container" dracut_install nc
+
         # setup the testsuite service
         cat >$initdir/etc/systemd/system/testsuite.service <<EOF
 [Unit]
@@ -91,6 +94,13 @@ function check_bind_tmp_path {
     systemd-nspawn --register=no -D "$_root" --bind=/tmp/bind /bin/sh -c 'test -e /tmp/bind'
 }
 
+function check_notification_socket {
+    # https://github.com/systemd/systemd/issues/4944
+    local _cmd='echo a | $(busybox which nc) -U -u -w 1 /run/systemd/nspawn/notify'
+    systemd-nspawn --register=no -D /nc-container /bin/sh -x -c "$_cmd"
+    systemd-nspawn --register=no -D /nc-container -U /bin/sh -x -c "$_cmd"
+}
+
 function run {
     if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
         printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
@@ -123,6 +133,8 @@ function run {
 
 check_bind_tmp_path
 
+check_notification_socket
+
 for api_vfs_writable in yes no network; do
     run no no $api_vfs_writable
     run yes no $api_vfs_writable