Merge pull request #20425 from giuseppe/podman-do-not-leak-DBUS_SESSI…

…ON_BUS_ADDRESS-into-conmon libpod: skip DBUS_SESSION_BUS_ADDRESS in conmon
containers · Oct 21, 2023 · 19c870d · 19c870d
2 parents 3661c87 + 03947ab
commit 19c870d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/libpod/oci_conmon_common.go b/libpod/oci_conmon_common.go
@@ -1316,6 +1316,11 @@ func (r *ConmonOCIRuntime) configureConmonEnv() ([]string, error) {
 			// The NOTIFY_SOCKET must not leak into the environment.
 			continue
 		}
+		if strings.HasPrefix(v, "DBUS_SESSION_BUS_ADDRESS=") && !rootless.IsRootless() {
+			// The DBUS_SESSION_BUS_ADDRESS must not leak into the environment when running as root.
+			// This is because we want to use the system session for root containers, not the user session.
+			continue
+		}
 		res = append(res, v)
 	}
 	runtimeDir, err := util.GetRuntimeDir()

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
@@ -1301,7 +1301,12 @@ search               | $IMAGE           |
     run_podman container inspect $cid --format "{{ .State.ConmonPid }}"
     conmon_pid="$output"
     is "$(< /proc/$conmon_pid/cmdline)" ".*--exit-command-arg--syslog.*" "conmon's exit-command has --syslog set"
-    assert "$(< /proc/$conmon_pid/environ)" =~ "BATS_TEST_TMPDIR" "entire env is passed down to conmon (incl. BATS variables)"
+    conmon_env="$(< /proc/$conmon_pid/environ)"
+    assert "$conmon_env" =~ "BATS_TEST_TMPDIR" "entire env is passed down to conmon (incl. BATS variables)"
+    assert "$conmon_env" !~ "NOTIFY_SOCKET=" "NOTIFY_SOCKET is not included (incl. BATS variables)"
+    if ! is_rootless; then
+        assert "$conmon_env" !~ "DBUS_SESSION_BUS_ADDRESS=" "DBUS_SESSION_BUS_ADDRESS is not included (incl. BATS variables)"
+    fi
 
     run_podman rm -f -t0 $cid
 }