[systemd-devel] [PATCH] Handle Unix domain socket connections from outside our namespace
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Wed Apr 16 19:24:30 PDT 2014
On Wed, Apr 16, 2014 at 06:39:07PM +0200, Eelco Dolstra wrote:
> NixOS uses Unix domain sockets for certain host <-> container
> interaction; i.e. the host connects to a socket visible in the
> container's directory tree, where the container uses a .socket unit to
> spawn the handler program on demand. This worked in systemd 203, but
> in 212 fails with "foo.socket failed to queue service startup job
> (Maybe the service file is missing or not a template unit?): No data
> available".
>
> The reason is that getpeercred() now returns ENODATA if it can't get
> the PID of the client, which happens in this case because the client
> is not in the same PID namespace. Since getpeercred() is only used to
> generate the instance name, this patch simply handles ENODATA by
> creating an instance name "<nr>-unknown".
Applied, but I changed the order of clauses in the if, because the
thin 'return k' between the two asprintfs was bother me :)
Zbyszek
> k = getpeercred(fd, &ucred);
> - if (k < 0)
> + if (k == -ENODATA) {
> + /* This handles the case where somebody is
> + * connecting from another pid/uid namespace
> + * (e.g. from outside of our container). */
> + if (asprintf(&r,
> + "%u-unknown",
> + nr) < 0)
> + return -ENOMEM;
> + }
> + else if (k < 0)
> return k;
> -
> - if (asprintf(&r,
> - "%u-%lu-%lu",
> - nr,
> - (unsigned long) ucred.pid,
> - (unsigned long) ucred.uid) < 0)
> - return -ENOMEM;
> -
> + else {
> + if (asprintf(&r,
> + "%u-%lu-%lu",
> + nr,
> + (unsigned long) ucred.pid,
> + (unsigned long) ucred.uid) < 0)
> + return -ENOMEM;
> + }
> break;
> }
>
> --
> 1.9.0
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
More information about the systemd-devel
mailing list