nspawn: don't make /proc/kmsg node too special

Similar to the previous commit, let's just use our regular calls for managing temporary nodes take care of this.
2024-11-06 16:59:03 +03:00 · 2018-04-30 21:22:41 +02:00 · 2018-04-30 21:22:41 +02:00 · 9ec5a93c98
commit 9ec5a93c98
parent cdde6ba6b6
1 changed files with 19 additions and 19 deletions
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -1666,26 +1666,32 @@ static int setup_keyring(void) {
 }

 static int setup_kmsg(int kmsg_socket) {
-        const char *from, *to;
+        _cleanup_(unlink_and_freep) char *from = NULL;
+        _cleanup_free_ char *fifo = NULL;
+        _cleanup_close_ int fd = -1;
        _cleanup_umask_ mode_t u;
-        int fd, r;
+        const char *to;
+        int r;

        assert(kmsg_socket >= 0);

        u = umask(0000);

-        /* We create the kmsg FIFO as /run/kmsg, but immediately
-         * delete it after bind mounting it to /proc/kmsg. While FIFOs
-         * on the reading side behave very similar to /proc/kmsg,
-         * their writing side behaves differently from /dev/kmsg in
-         * that writing blocks when nothing is reading. In order to
-         * avoid any problems with containers deadlocking due to this
-         * we simply make /dev/kmsg unavailable to the container. */
-        from = "/run/kmsg";
+        /* We create the kmsg FIFO as as temporary file in /tmp, but immediately delete it after bind mounting it to
+         * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves
+         * differently from /dev/kmsg in that writing blocks when nothing is reading. In order to avoid any problems
+         * with containers deadlocking due to this we simply make /dev/kmsg unavailable to the container. */
+
+        r = tempfn_random_child(NULL, "proc-kmsg", &fifo);
+        if (r < 0)
+                return log_error_errno(r, "Failed to generate kmsg path: %m");
+
+        if (mkfifo(fifo, 0600) < 0)
+                return log_error_errno(errno, "mkfifo() for /run/kmsg failed: %m");
+
+        from = TAKE_PTR(fifo);
        to = "/proc/kmsg";

-        if (mkfifo(from, 0600) < 0)
-                return log_error_errno(errno, "mkfifo() for /run/kmsg failed: %m");
        r = mount_verbose(LOG_ERR, from, to, NULL, MS_BIND, NULL);
        if (r < 0)
                return r;
@ -1694,17 +1700,11 @@ static int setup_kmsg(int kmsg_socket) {
        if (fd < 0)
                return log_error_errno(errno, "Failed to open fifo: %m");

-        /* Store away the fd in the socket, so that it stays open as
-         * long as we run the child */
+        /* Store away the fd in the socket, so that it stays open as long as we run the child */
        r = send_one_fd(kmsg_socket, fd, 0);
-        safe_close(fd);
-
        if (r < 0)
                return log_error_errno(r, "Failed to send FIFO fd: %m");

-        /* And now make the FIFO unavailable as /run/kmsg... */
-        (void) unlink(from);
-
        return 0;
 }