From 03947ab031d26100c906dcab4253d644c459a4c6 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Fri, 20 Oct 2023 12:58:14 +0200
Subject: [PATCH] libpod: skip DBUS_SESSION_BUS_ADDRESS in conmon

commit 7ade9721020468438e822b16ed7a65380cc7fbd2 introduced the change
that caused an issue in crun since it forces the root user session
instead of the system one when DBUS_SESSION_BUS_ADDRESS is set.

I am addressing it in crun, but for the time being, let's also not
pass the variable down to conmon since the assumption is that when
running as root the containers must be created on the system bus.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/oci_conmon_common.go | 5 +++++
 test/system/030-run.bats    | 7 ++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/libpod/oci_conmon_common.go b/libpod/oci_conmon_common.go
index 3eac697651..3cae58f707 100644
--- a/libpod/oci_conmon_common.go
+++ b/libpod/oci_conmon_common.go
@@ -1316,6 +1316,11 @@ func (r *ConmonOCIRuntime) configureConmonEnv() ([]string, error) {
 			// The NOTIFY_SOCKET must not leak into the environment.
 			continue
 		}
+		if strings.HasPrefix(v, "DBUS_SESSION_BUS_ADDRESS=") && !rootless.IsRootless() {
+			// The DBUS_SESSION_BUS_ADDRESS must not leak into the environment when running as root.
+			// This is because we want to use the system session for root containers, not the user session.
+			continue
+		}
 		res = append(res, v)
 	}
 	runtimeDir, err := util.GetRuntimeDir()
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 0f7952adb6..4aa3462de7 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -1301,7 +1301,12 @@ search               | $IMAGE           |
     run_podman container inspect $cid --format "{{ .State.ConmonPid }}"
     conmon_pid="$output"
     is "$(< /proc/$conmon_pid/cmdline)" ".*--exit-command-arg--syslog.*" "conmon's exit-command has --syslog set"
-    assert "$(< /proc/$conmon_pid/environ)" =~ "BATS_TEST_TMPDIR" "entire env is passed down to conmon (incl. BATS variables)"
+    conmon_env="$(< /proc/$conmon_pid/environ)"
+    assert "$conmon_env" =~ "BATS_TEST_TMPDIR" "entire env is passed down to conmon (incl. BATS variables)"
+    assert "$conmon_env" !~ "NOTIFY_SOCKET=" "NOTIFY_SOCKET is not included (incl. BATS variables)"
+    if ! is_rootless; then
+        assert "$conmon_env" !~ "DBUS_SESSION_BUS_ADDRESS=" "DBUS_SESSION_BUS_ADDRESS is not included (incl. BATS variables)"
+    fi
 
     run_podman rm -f -t0 $cid
 }