From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 20 Nov 2023 12:25:27 +0000 (+0100)
Subject: socket: set close-on-exec on all reusable sockets
X-Git-Tag: 4.5-pre1~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee9d721b7ba0dd7bea6c011de9466f32cf7cd496;p=thirdparty%2Fchrony.git

socket: set close-on-exec on all reusable sockets

Set the CLOEXEC flag on all reusable sockets in the initialization to
avoid leaking them to sendmail (mailonchange directive) in case the
chrony configuration doesn't use all sockets provided by systemd.
---

diff --git a/socket.c b/socket.c
index ff5c3fc3..ba4625da 100644
--- a/socket.c
+++ b/socket.c
@@ -268,9 +268,9 @@ static int
 set_socket_flags(int sock_fd, int flags)
 {
   /* Close the socket automatically on exec */
-  if (
+  if (!SCK_IsReusable(sock_fd) &&
 #ifdef SOCK_CLOEXEC
-      (SCK_IsReusable(sock_fd) || (supported_socket_flags & SOCK_CLOEXEC) == 0) &&
+      (supported_socket_flags & SOCK_CLOEXEC) == 0 &&
 #endif
       !UTI_FdSetCloexec(sock_fd))
     return 0;
@@ -1295,6 +1295,8 @@ SCK_PreInitialise(void)
 void
 SCK_Initialise(int family)
 {
+  int fd;
+
   ip4_enabled = family == IPADDR_INET4 || family == IPADDR_UNSPEC;
 #ifdef FEAT_IPV6
   ip6_enabled = family == IPADDR_INET6 || family == IPADDR_UNSPEC;
@@ -1323,6 +1325,9 @@ SCK_Initialise(int family)
     supported_socket_flags |= SOCK_NONBLOCK;
 #endif
 
+  for (fd = first_reusable_fd; fd < first_reusable_fd + reusable_fds; fd++)
+    UTI_FdSetCloexec(fd);
+
   initialised = 1;
 }