linux: reject sysctl kernel.domainname in favor of OCI knob domainname

flouthoc · flouthoc · commit 6894b64ac52f · 2022-10-01T17:05:10.000+05:30
Setting sysctl `kernel.domainname` directly by user is not environment agnostic, it shows either incorrect ( on non-working ) behaviour in `rootless` environment. It was decided to make this part of `runtime-spec` so the OCI runtime can itself handle this behaviour correctly. As a result a new field `domainname` was added to `runtime-spec`. Since crun already implementes this field therefore `sysctl` configured by user conflicts with the behaviour expected by the OCI runtime. Runtime-spec PR: opencontainers/runtime-spec#1156 Furthermore a similar `sysctl` `kernal.hostname` is blocked by crun explicitly to prevent this conflicting behaviour. https://github.com/containers/crun/blob/main/src/libcrun/linux.c#L3203 Signed-off-by: Aditya R <arajan@redhat.com>
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -3191,13 +3191,7 @@ validate_sysctl (const char *original_value, const char *name, unsigned long nam
           }
 
       if (strcmp (name, "kernel/domainname") == 0)
-        {
-          if (namespaces_created & CLONE_NEWUTS)
-            return 0;
-
-          namespace = "UTS";
-          goto fail;
-        }
+        return crun_make_error (err, 0, "the sysctl `%s` conflicts with OCI field `domainname`", original_value);
 
       if (strcmp (name, "kernel/hostname") == 0)
         return crun_make_error (err, 0, "the sysctl `%s` conflicts with OCI field `hostname`", original_value);
diff --git a/tests/test_start.py b/tests/test_start.py
@@ -199,34 +199,22 @@ def test_uts_sysctl():
             if cid is not None:
                 run_crun_command(["delete", "-f", cid])
 
-    conf = base_config()
-    conf['process']['args'] = ['/init', 'true']
-    add_all_namespaces(conf, utsns=False)
-    conf['linux']['sysctl'] = {'kernel.domainname' : 'foo'}
-    cid = None
-    try:
-        _, cid = run_and_get_output(conf)
-        sys.stderr.write("unexpected success\n")
-        return -1
-    except:
-        return 0
-    finally:
-        if cid is not None:
-            run_crun_command(["delete", "-f", cid])
-
-    conf = base_config()
-    conf['process']['args'] = ['/init', 'true']
-    add_all_namespaces(conf)
-    conf['linux']['sysctl'] = {'kernel.domainname' : 'foo'}
-    cid = None
-    try:
-        _, cid = run_and_get_output(conf)
-        return 0
-    except:
-        return -1
-    finally:
-        if cid is not None:
-            run_crun_command(["delete", "-f", cid])
+    # setting kernel.domainname must always fail.
+    for utsns in [True, False]:
+        conf = base_config()
+        conf['process']['args'] = ['/init', 'true']
+        add_all_namespaces(conf, utsns=utsns)
+        conf['linux']['sysctl'] = {'kernel.domainname' : 'foo'}
+        cid = None
+        try:
+            _, cid = run_and_get_output(conf)
+            sys.stderr.write("unexpected success\n")
+            return -1
+        except:
+            return 0
+        finally:
+            if cid is not None:
+                run_crun_command(["delete", "-f", cid])
     return 0
 
 def test_start():
