Blame 0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch
|
Adam Williamson |
f41ff6 |
From ef90e8f9db911626c8f5c18c49cf6fe445afdefb Mon Sep 17 00:00:00 2001
|
|
Adam Williamson |
f41ff6 |
From: Daan De Meyer <daan.j.demeyer@gmail.com>
|
|
Adam Williamson |
f41ff6 |
Date: Thu, 30 Nov 2023 11:01:14 +0100
|
|
Adam Williamson |
f41ff6 |
Subject: [PATCH] Make sure we close bpf outer map fd in systemd-executor
|
|
Adam Williamson |
f41ff6 |
|
|
Adam Williamson |
f41ff6 |
Not doing so leaks it into the child service and causes selinux
|
|
Adam Williamson |
f41ff6 |
denials.
|
|
Adam Williamson |
f41ff6 |
---
|
|
Adam Williamson |
f41ff6 |
src/core/execute-serialize.c | 6 ++++++
|
|
Adam Williamson |
f41ff6 |
1 file changed, 6 insertions(+)
|
|
Adam Williamson |
f41ff6 |
|
|
Adam Williamson |
f41ff6 |
diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c
|
|
Adam Williamson |
f41ff6 |
index 56c4f4da8a..6c19cd42a2 100644
|
|
Adam Williamson |
f41ff6 |
--- a/src/core/execute-serialize.c
|
|
Adam Williamson |
f41ff6 |
+++ b/src/core/execute-serialize.c
|
|
Adam Williamson |
f41ff6 |
@@ -1625,6 +1625,12 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) {
|
|
Adam Williamson |
f41ff6 |
if (fd < 0)
|
|
Adam Williamson |
f41ff6 |
continue;
|
|
Adam Williamson |
f41ff6 |
|
|
Adam Williamson |
f41ff6 |
+ /* This is special and relies on close-on-exec semantics, make sure it's
|
|
Adam Williamson |
f41ff6 |
+ * there */
|
|
Adam Williamson |
f41ff6 |
+ r = fd_cloexec(fd, true);
|
|
Adam Williamson |
f41ff6 |
+ if (r < 0)
|
|
Adam Williamson |
f41ff6 |
+ return r;
|
|
Adam Williamson |
f41ff6 |
+
|
|
Adam Williamson |
f41ff6 |
p->bpf_outer_map_fd = fd;
|
|
Adam Williamson |
f41ff6 |
} else if ((val = startswith(l, "exec-parameters-notify-socket="))) {
|
|
Adam Williamson |
f41ff6 |
r = free_and_strdup(&p->notify_socket, val);
|
|
Adam Williamson |
f41ff6 |
--
|
|
Adam Williamson |
f41ff6 |
2.43.0
|
|
Adam Williamson |
f41ff6 |
|