git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Wed, 3 Apr 2024 08:51:21 +0000 (10:51 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 9 Apr 2024 08:27:35 +0000 (10:27 +0200)
commit	34f53f85bcf3ccc168fd3845fbc8a18a5c96e350
tree	3f8539c95ff8daca5f6a9b65c12c3d8a38eee3cc	tree
parent	6d4051750255465244dd0ffa01966324cea66353	commit \| diff

systemd: reimplement sd_notify logic using UNIX socket

One of the lessons of the XZ backdoor story was that just linking to
libsystemd to call sd_notify is discouraged by the systemd project:

Lennart Poettering:
"PSA: In context of the xzpocalypse we now added an example reimplementation
of sd_notify() to our man page:

https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Notes

It's pretty comprehensive (i.e. uses it for reload notification too), but
still relatively short.

In the past, I have been telling anyone who wanted to listen that if all you
want is sd_notify() then don't bother linking to libsystemd, since the
protocol is stable and should be considered the API, not our C wrapper
around it. After all, the protocol is so trivial"

From: https://mastodon.social/@pid_eins/112202687764571433

This commit takes the example code and uses it to reimplement the notify
logic.

The code is enabled if Linux is detected in configure. Since the code
won't do anything if the NOTIFY_SOCKET env var isn't set, this should
also work fine on systems w/o systemd.

Ticket: #6913.

.github/workflows/builds.yml		diff \| blob \| blame \| history
configure.ac		diff \| blob \| blame \| history
doc/userguide/configuration/systemd-notify.rst		diff \| blob \| blame \| history
src/Makefile.am		diff \| blob \| blame \| history
src/suricata.c		diff \| blob \| blame \| history
src/util-systemd.c	[new file with mode: 0644]	blob
src/util-systemd.h	[new file with mode: 0644]	blob