From 1a1eae0c09aea38b46140ec38dbc8cbb2f56d164 Mon Sep 17 00:00:00 2001
From: Ryan Phillips <ryan@trolocsis.com>
Date: Mon, 11 Oct 2021 16:30:00 -0500
Subject: [PATCH] crio: filter out systemd related components

Do not allow registration of systemd related services.
---
 container/crio/factory.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/container/crio/factory.go b/container/crio/factory.go
index fd61168c4b..906f076dc8 100644
--- a/container/crio/factory.go
+++ b/container/crio/factory.go
@@ -32,6 +32,9 @@ import (
 // The namespace under which crio aliases are unique.
 const CrioNamespace = "crio"
 
+// The namespace systemd runs components under.
+const SystemdNamespace = "system-systemd"
+
 // Regexp that identifies CRI-O cgroups
 var crioCgroupRegexp = regexp.MustCompile(`([a-z0-9]{64})`)
 
@@ -114,6 +117,9 @@ func (f *crioFactory) CanHandleAndAccept(name string) (bool, bool, error) {
 	if !strings.HasPrefix(path.Base(name), CrioNamespace) {
 		return false, false, nil
 	}
+	if strings.HasPrefix(path.Base(name), SystemdNamespace) {
+		return true, false, nil
+	}
 	// if the container is not associated with CRI-O, we can't handle it or accept it.
 	if !isContainerName(name) {
 		return false, false, nil