b->output_fd = b->input_fd;
- r = bus_socket_setup(b);
- if (r < 0)
- return r;
+ bus_socket_setup(b);
child = fork();
if (child < 0)
return -errno;
if (child == 0) {
+ pid_t grandchild;
r = namespace_enter(pidnsfd, mntnsfd, rootfd);
if (r < 0)
_exit(255);
- r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
- if (r < 0) {
- if (errno == EINPROGRESS)
- _exit(1);
+ /* We just changed PID namespace, however it will only
+ * take effect on the children we now fork. Hence,
+ * let's fork another time, and connect from this
+ * grandchild, so that SO_PEERCRED of our connection
+ * comes from a process from within the container, and
+ * not outside of it */
+ grandchild = fork();
+ if (grandchild < 0)
_exit(255);
+
+ if (grandchild == 0) {
+
+ r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
+ if (r < 0) {
+ if (errno == EINPROGRESS)
+ _exit(1);
+
+ _exit(255);
+ }
+
+ _exit(EXIT_SUCCESS);
}
- _exit(EXIT_SUCCESS);
+ r = wait_for_terminate(grandchild, &si);
+ if (r < 0)
+ _exit(255);
+
+ if (si.si_code != CLD_EXITED)
+ _exit(255);
+
+ _exit(si.si_status);
}
r = wait_for_terminate(child, &si);
return -errno;
if (child == 0) {
+ pid_t grandchild;
+
close_nointr_nofail(pair[0]);
pair[0] = -1;
if (r < 0)
_exit(EXIT_FAILURE);
- fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
- if (fd < 0)
+ /* We just changed PID namespace, however it will only
+ * take effect on the children we now fork. Hence,
+ * let's fork another time, and connect from this
+ * grandchild, so that kdbus only sees the credentials
+ * of this process which comes from within the
+ * container, and not outside of it */
+
+ grandchild = fork();
+ if (grandchild < 0)
_exit(EXIT_FAILURE);
- cmsg = CMSG_FIRSTHDR(&mh);
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
- cmsg->cmsg_len = CMSG_LEN(sizeof(int));
- memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
+ if (grandchild == 0) {
+
+ fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
+ if (fd < 0)
+ _exit(EXIT_FAILURE);
+
+ cmsg = CMSG_FIRSTHDR(&mh);
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+ memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
- mh.msg_controllen = cmsg->cmsg_len;
+ mh.msg_controllen = cmsg->cmsg_len;
+
+ if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
+ _exit(EXIT_FAILURE);
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ r = wait_for_terminate(grandchild, &si);
+ if (r < 0)
+ _exit(EXIT_FAILURE);
- if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
+ if (si.si_code != CLD_EXITED)
_exit(EXIT_FAILURE);
- _exit(EXIT_SUCCESS);
+ _exit(si.si_status);
}
close_nointr_nofail(pair[1]);
pair[1] = -1;
+ r = wait_for_terminate(child, &si);
+ if (r < 0)
+ return r;
+
+ if (si.si_code != CLD_EXITED)
+ return -EIO;
+
+ if (si.si_status != EXIT_SUCCESS)
+ return -EIO;
+
if (recvmsg(pair[0], &mh, MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) < 0)
return -errno;
fd = fds[0];
}
- r = wait_for_terminate(child, &si);
- if (r < 0)
- return r;
-
- if (si.si_code != CLD_EXITED)
- return -EIO;
-
- if (si.si_status != EXIT_SUCCESS)
- return -EIO;
-
b->input_fd = b->output_fd = fd;
fd = -1;
~ianmdlvl / elogind.git / blobdiff