socket: set close-on-exec on all reusable sockets

Set the CLOEXEC flag on all reusable sockets in the initialization to
avoid leaking them to sendmail (mailonchange directive) in case the
chrony configuration doesn't use all sockets provided by systemd.

diff --git a/socket.c b/socket.c
index ff5c3fc38922db3f75891be178b53f5b16a7d515..ba4625da7391ecdf8aeee45df87a3029b34de83a 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -268,9 +268,9 @@ static int
 set_socket_flags(int sock_fd, int flags)
 {
   /* Close the socket automatically on exec */
-  if (
+  if (!SCK_IsReusable(sock_fd) &&
 #ifdef SOCK_CLOEXEC
-      (SCK_IsReusable(sock_fd) || (supported_socket_flags & SOCK_CLOEXEC) == 0) &&
+      (supported_socket_flags & SOCK_CLOEXEC) == 0 &&
 #endif
       !UTI_FdSetCloexec(sock_fd))
     return 0;
@@ -1295,6 +1295,8 @@ SCK_PreInitialise(void)
 void
 SCK_Initialise(int family)
 {
+  int fd;
+
   ip4_enabled = family == IPADDR_INET4 || family == IPADDR_UNSPEC;
 #ifdef FEAT_IPV6
   ip6_enabled = family == IPADDR_INET6 || family == IPADDR_UNSPEC;
@@ -1323,6 +1325,9 @@ SCK_Initialise(int family)
     supported_socket_flags |= SOCK_NONBLOCK;
 #endif
 
+  for (fd = first_reusable_fd; fd < first_reusable_fd + reusable_fds; fd++)
+    UTI_FdSetCloexec(fd);
+
   initialised = 1;
 }