From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 19 Feb 2025 19:57:24 +0000 (+0100)
Subject: exec-invoke: Use FORK_DETACH when forking off pid namespace child
X-Git-Tag: v258-rc1~1281^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F36446%2Fhead;p=thirdparty%2Fsystemd.git

exec-invoke: Use FORK_DETACH when forking off pid namespace child

This ensures the child process is immediately re-parented to the
manager process which avoids a "Supervising process xxx which is
not our child. We'll most likely not notice when it exits." warning
which can currently happen if the parent systemd-executor parent
process sends the pid namespace child process pidref to the manager
process and the manager process dispatches the child process pidref
before the systemd-executor parent process exits, since at that point
the pid namespace child process's parent will still be the
systemd-executor parent process and not the manager process.
---

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 10111a81868..f0ab3637add 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -2480,7 +2480,8 @@ static int setup_private_pids(const ExecContext *c, ExecParameters *p) {
         if (pipe2(errno_pipe, O_CLOEXEC) < 0)
                 return log_exec_debug_errno(c, p, errno, "Failed to create pipe for communicating with parent process: %m");
 
-        r = pidref_safe_fork("(sd-pidns-child)", FORK_NEW_PIDNS, &pidref);
+        /* Set FORK_DETACH to immediately re-parent the child process to the invoking manager process. */
+        r = pidref_safe_fork("(sd-pidns-child)", FORK_NEW_PIDNS|FORK_DETACH, &pidref);
         if (r < 0)
                 return log_exec_debug_errno(c, p, r, "Failed to fork child into new pid namespace: %m");
         if (r > 0) {