From: HAMANO Tsukasa <hamano@osstech.co.jp>
Date: Tue, 7 May 2024 10:59:17 +0000 (+0900)
Subject: ITS#10214 Reduce library dependencies
X-Git-Tag: OPENLDAP_REL_ENG_2_5_18~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7c76e2daff6d2fc0607b22ddd113d406e0fa1fc;p=thirdparty%2Fopenldap.git

ITS#10214 Reduce library dependencies

Currently, slapd links libsystemd to notify service state to systemd.
However, libsystemd link several unnecessary libraries, which increases security risks.
The systemd documentation provides a method to send state notifications to systemd using a simple protocol without the need to link against libsystemd.

https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html
---

diff --git a/build/top.mk b/build/top.mk
index 527d61fc5e..d5dd27de54 100644
--- a/build/top.mk
+++ b/build/top.mk
@@ -197,7 +197,6 @@ TLS_LIBS = @TLS_LIBS@
 AUTH_LIBS = @AUTH_LIBS@
 ARGON2_LIBS = @ARGON2_LIBS@
 SECURITY_LIBS = $(SASL_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
-SYSTEMD_LIBS = @SYSTEMD_LIBS@
 
 MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
 MODULES_LDFLAGS = @SLAPD_MODULES_LDFLAGS@
@@ -208,7 +207,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
 SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@
 SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@
 
-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(SYSTEMD_LIBS)
+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@
 LLOADD_LIBS = @BALANCER_LIBS@ $(LEVENT_LIBS)
 
 # Our Defaults
diff --git a/configure.ac b/configure.ac
index 32067386de..a5548437ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -639,7 +639,6 @@ MODULES_LIBS=
 SLAPI_LIBS=
 LIBSLAPI=
 AUTH_LIBS=
-SYSTEMD_LIBS=
 
 SLAPD_SLP_LIBS=
 SLAPD_GMP_LIBS=
@@ -2107,42 +2106,29 @@ dnl ----------------------------------------------------------------
 dnl
 dnl Check for systemd (only if we have a server)
 dnl
-WITH_SYSTEMD=no
 systemdsystemunitdir=
-ol_link_systemd=no
 if test $ol_enable_slapd = no && test $ol_enable_balancer != yes ; then
 	if test $ol_with_systemd != no ; then
 		AC_MSG_WARN([servers disabled, ignoring --with-systemd=$ol_with_systemd argument])
 		ol_with_systemd=no
 	fi
 fi
-if test $ol_with_systemd != no ; then
-	AC_CHECK_HEADERS(systemd/sd-daemon.h)
 
+if test $ol_with_systemd = auto; then
+	AC_CHECK_HEADERS(systemd/sd-daemon.h)
 	if test $ac_cv_header_systemd_sd_daemon_h = yes; then
-		AC_CHECK_LIB(systemd, sd_notify,
-			[ol_link_systemd="-lsystemd"])
+		ol_with_systemd=yes
 	fi
+fi
 
-	if test $ol_link_systemd = no ; then
-		if test $ol_with_systemd != auto ; then
-			AC_MSG_ERROR([Could not locate systemd])
+if test $ol_with_systemd = yes ; then
+	AC_DEFINE(HAVE_SYSTEMD,1,[define if you have systemd])
+	PKG_CHECK_VAR(systemdsystemunitdir, systemd, systemdsystemunitdir)
+	if test -z "$systemdsystemunitdir"; then
+		if test -d /usr/lib/systemd/system; then
+			systemdsystemunitdir=/usr/lib/systemd/system
 		else
-			AC_MSG_WARN([Could not locate systemd])
-			AC_MSG_WARN([systemd service notification not supported!])
-		fi
-	else
-		AC_DEFINE(HAVE_SYSTEMD,1,[define if you have systemd])
-		SYSTEMD_LIBS="$ol_link_systemd"
-		WITH_SYSTEMD=yes
-
-		PKG_CHECK_VAR(systemdsystemunitdir, systemd, systemdsystemunitdir)
-		if test -z "$systemdsystemunitdir"; then
-			if test -d /usr/lib/systemd/system; then
-				systemdsystemunitdir=/usr/lib/systemd/system
-			else
-				systemdsystemunitdir=/lib/systemd/system
-			fi
+			systemdsystemunitdir=/lib/systemd/system
 		fi
 	fi
 fi
@@ -3184,7 +3170,6 @@ AC_SUBST(WITH_SASL)
 AC_SUBST(WITH_TLS)
 AC_SUBST(WITH_MODULES_ENABLED)
 AC_SUBST(WITH_ACI_ENABLED)
-AC_SUBST(WITH_SYSTEMD)
 AC_SUBST(BUILD_THREAD)
 AC_SUBST(BUILD_LIBS_DYNAMIC)
 AC_SUBST(OL_VERSIONED_SYMBOLS)
@@ -3273,7 +3258,6 @@ AC_SUBST(SLAPI_LIBS)
 AC_SUBST(LIBSLAPI)
 AC_SUBST(AUTH_LIBS)
 AC_SUBST(ARGON2_LIBS)
-AC_SUBST(SYSTEMD_LIBS)
 
 AC_SUBST(SLAPD_SLP_LIBS)
 AC_SUBST(SLAPD_GMP_LIBS)
diff --git a/include/sd-notify.h b/include/sd-notify.h
new file mode 100644
index 0000000000..be284f681f
--- /dev/null
+++ b/include/sd-notify.h
@@ -0,0 +1,64 @@
+/* SPDX-License-Identifier: MIT-0 */
+/* Implement the systemd notify protocol without external dependencies.
+ * Supports both readiness notification on startup and on reloading,
+ * according to the protocol defined at:
+ * https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html
+ * This protocol is guaranteed to be stable as per:
+ * https://systemd.io/PORTABILITY_AND_STABILITY/ */
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+
+static int sd_notify(int ignore, const char *message) {
+    union sockaddr_union {
+	struct sockaddr sa;
+	struct sockaddr_un sun;
+    } socket_addr = {
+	.sun.sun_family = AF_UNIX,
+    };
+    size_t path_length, message_length;
+    const char *socket_path;
+    int fd = -1;
+    int rc = 1;
+
+    socket_path = getenv("NOTIFY_SOCKET");
+    if (!socket_path)
+	return 0; /* Not running under systemd? Nothing to do */
+
+    if (!message)
+	return -EINVAL;
+
+    message_length = strlen(message);
+    if (message_length == 0)
+	return -EINVAL;
+
+    /* Only AF_UNIX is supported, with path or abstract sockets */
+    if (socket_path[0] != '/' && socket_path[0] != '@')
+	return -EAFNOSUPPORT;
+
+    path_length = strlen(socket_path);
+    /* Ensure there is room for NUL byte */
+    if (path_length >= sizeof(socket_addr.sun.sun_path))
+	return -E2BIG;
+
+    memcpy(socket_addr.sun.sun_path, socket_path, path_length);
+
+    /* Support for abstract socket */
+    if (socket_addr.sun.sun_path[0] == '@')
+	socket_addr.sun.sun_path[0] = 0;
+
+    fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+    if (fd < 0)
+	return -errno;
+
+    ssize_t written = sendto(fd, message, message_length, 0,
+			     &socket_addr.sa, offsetof(struct sockaddr_un, sun_path) + path_length);
+    if (written != (ssize_t) message_length)
+	rc = written < 0 ? -errno : -EPROTO;
+
+    close(fd);
+    return rc;
+}
diff --git a/servers/lloadd/Makefile_server.in b/servers/lloadd/Makefile_server.in
index 95daca9920..6099173d77 100644
--- a/servers/lloadd/Makefile_server.in
+++ b/servers/lloadd/Makefile_server.in
@@ -32,8 +32,6 @@ BUILD_SRV = @BUILD_BALANCER@
 
 all-local-srv: 	$(PROGRAMS) all-cffiles
 
-XXLIBS += $(SYSTEMD_LIBS)
-
 lloadd:	$(LLOADD_DEPENDS) version.o
 	$(LTLINK) -o $@ $(OBJS) version.o $(LIBS)
 
diff --git a/servers/lloadd/daemon.c b/servers/lloadd/daemon.c
index f652aed8fc..813b296196 100644
--- a/servers/lloadd/daemon.c
+++ b/servers/lloadd/daemon.c
@@ -45,8 +45,8 @@
 
 #include "ldap_rq.h"
 
-#ifdef HAVE_SYSTEMD_SD_DAEMON_H
-#include <systemd/sd-daemon.h>
+#ifdef HAVE_SYSTEMD
+#include "sd-notify.h"
 #endif
 
 #ifdef LDAP_PF_LOCAL
diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index a269ae4156..eb0f538514 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -41,8 +41,8 @@
 
 #include "ldap_rq.h"
 
-#ifdef HAVE_SYSTEMD_SD_DAEMON_H
-#include <systemd/sd-daemon.h>
+#ifdef HAVE_SYSTEMD
+#include "sd-notify.h"
 #endif
 
 #ifdef HAVE_POLL