libpod: skip DBUS_SESSION_BUS_ADDRESS in conmon

commit 7ade972 introduced the change
that caused an issue in crun since it forces the root user session
instead of the system one when DBUS_SESSION_BUS_ADDRESS is set.

I am addressing it in crun, but for the time being, let's also not
pass the variable down to conmon since the assumption is that when
running as root the containers must be created on the system bus.

Signed-off-by: Giuseppe Scrivano <[email protected]>

libpod/oci_conmon_common.go

@@ -1316,6 +1316,11 @@ func (r *ConmonOCIRuntime) configureConmonEnv() ([]string, error) {
 			// The NOTIFY_SOCKET must not leak into the environment.
 			continue
 		}
+		if strings.HasPrefix(v, "DBUS_SESSION_BUS_ADDRESS=") && !rootless.IsRootless() {
+			// The DBUS_SESSION_BUS_ADDRESS must not leak into the environment when running as root.
+			// This is because we want to use the system session for root containers, not the user session.
+			continue
+		}
 		res = append(res, v)
 	}
 	runtimeDir, err := util.GetRuntimeDir()

test/system/030-run.bats

@@ -1301,7 +1301,12 @@ search               | $IMAGE           |
     run_podman container inspect $cid --format "{{ .State.ConmonPid }}"
     conmon_pid="$output"
     is "$(< /proc/$conmon_pid/cmdline)" ".*--exit-command-arg--syslog.*" "conmon's exit-command has --syslog set"
-    assert "$(< /proc/$conmon_pid/environ)" =~ "BATS_TEST_TMPDIR" "entire env is passed down to conmon (incl. BATS variables)"
+    conmon_env="$(< /proc/$conmon_pid/environ)"
+    assert "$conmon_env" =~ "BATS_TEST_TMPDIR" "entire env is passed down to conmon (incl. BATS variables)"
+    assert "$conmon_env" !~ "NOTIFY_SOCKET=" "NOTIFY_SOCKET is not included (incl. BATS variables)"
+    if ! is_rootless; then
+        assert "$conmon_env" !~ "DBUS_SESSION_BUS_ADDRESS=" "DBUS_SESSION_BUS_ADDRESS is not included (incl. BATS variables)"
+    fi
 
     run_podman rm -f -t0 $cid
 }