From 2ab90f2ed66cd47741e31775459856bd4c5efce9 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Fri, 27 Jan 2023 15:46:50 +0100
Subject: [PATCH 1/2] journald: podman events only show events for current user

I noticed this while running some things in parallel, podman events
would show events from other users. Because all events are written to
the journal everybody can see them. So when we read the journal we must
filter events for only the current UID.

To reproduce run `podman events` as user then in another window create a
container as root for example. After this patch it will correctly ignore
these events from other users.

[NO NEW TESTS NEEDED] I don't think we can test with two users at the same
time.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 libpod/events/journal_linux.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libpod/events/journal_linux.go b/libpod/events/journal_linux.go
index 6c0cc15803..0f472b8d89 100644
--- a/libpod/events/journal_linux.go
+++ b/libpod/events/journal_linux.go
@@ -11,6 +11,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/util"
 	"github.com/coreos/go-systemd/v22/journal"
 	"github.com/coreos/go-systemd/v22/sdjournal"
@@ -108,7 +109,13 @@ func (e EventJournalD) Read(ctx context.Context, options ReadOptions) error {
 	// match only podman journal entries
 	podmanJournal := sdjournal.Match{Field: "SYSLOG_IDENTIFIER", Value: "podman"}
 	if err := j.AddMatch(podmanJournal.String()); err != nil {
-		return fmt.Errorf("failed to add journal filter for event log: %w", err)
+		return fmt.Errorf("failed to add SYSLOG_IDENTIFIER journal filter for event log: %w", err)
+	}
+
+	// make sure we only read events for the current user
+	uidMatch := sdjournal.Match{Field: "_UID", Value: strconv.Itoa(rootless.GetRootlessUID())}
+	if err := j.AddMatch(uidMatch.String()); err != nil {
+		return fmt.Errorf("failed to add _UID journal filter for event log: %w", err)
 	}
 
 	if len(options.Since) == 0 && len(options.Until) == 0 && options.Stream {

From e519910305e71736493059fd1bd7ddb68ba3904d Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Fri, 27 Jan 2023 16:03:59 +0100
Subject: [PATCH 2/2] journald: podman logs only show logs for current user

In the super rare case that there are two containers with the same ID
for two different users, podman logs with the journald driver would show
logs from both containers.

[NO NEW TESTS NEEDED] Impossible to reproduce.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 libpod/container_log_linux.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libpod/container_log_linux.go b/libpod/container_log_linux.go
index e8b9a52a7e..de5a66dee1 100644
--- a/libpod/container_log_linux.go
+++ b/libpod/container_log_linux.go
@@ -7,12 +7,14 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strconv"
 	"strings"
 	"time"
 
 	"github.com/containers/podman/v4/libpod/define"
 	"github.com/containers/podman/v4/libpod/events"
 	"github.com/containers/podman/v4/libpod/logs"
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/coreos/go-systemd/v22/journal"
 	"github.com/coreos/go-systemd/v22/sdjournal"
 	"github.com/sirupsen/logrus"
@@ -69,6 +71,12 @@ func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOption
 	if err := journal.AddMatch(match.String()); err != nil {
 		return fmt.Errorf("adding filter to journald logger: %v: %w", match, err)
 	}
+	// Make sure we only read events for the current user, while it is unlikely that there
+	// is a container ID duplication for two users, it is better to have it just in case.
+	uidMatch := sdjournal.Match{Field: "_UID", Value: strconv.Itoa(rootless.GetRootlessUID())}
+	if err := journal.AddMatch(uidMatch.String()); err != nil {
+		return fmt.Errorf("adding filter to journald logger: %v: %w", uidMatch, err)
+	}
 
 	// Add the filter for logs.  Note the disjunction so that we match
 	// either the events or the logs.
@@ -79,6 +87,9 @@ func (c *Container) readFromJournal(ctx context.Context, options *logs.LogOption
 	if err := journal.AddMatch(match.String()); err != nil {
 		return fmt.Errorf("adding filter to journald logger: %v: %w", match, err)
 	}
+	if err := journal.AddMatch(uidMatch.String()); err != nil {
+		return fmt.Errorf("adding filter to journald logger: %v: %w", uidMatch, err)
+	}
 
 	if options.Since.IsZero() {
 		if err := journal.SeekHead(); err != nil {