From 752cdf5051d4de17864e7b2dbfec0023207a3d4e Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 16 Jun 2025 17:55:11 +0900 Subject: [PATCH] manager: also restart stub listner on reload Previously, the extra stub listners were stopped but new ones were not started. Also, the main stub listners were not restarted, hence the new settings were not applied. This fixes the above two issues. Note, to fix the issue, we need to keep CAP_NET_BIND_SERVICE capability to make it allow to bind stub listner later. Fixes #37843. --- src/resolve/resolved-manager.c | 5 +++++ src/resolve/resolved.c | 12 +++--------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index 7127cbfc123..95f0cac49c6 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -653,6 +653,7 @@ static int manager_dispatch_reload_signal(sd_event_source *s, const struct signa dns_server_unlink_on_reload(m->dns_servers); dns_server_unlink_on_reload(m->fallback_dns_servers); m->dns_extra_stub_listeners = ordered_set_free(m->dns_extra_stub_listeners); + manager_dns_stub_stop(m); dnssd_service_clear_on_reload(m->dnssd_services); m->unicast_scope = dns_scope_free(m->unicast_scope); m->delegates = hashmap_free(m->delegates); @@ -691,6 +692,10 @@ static int manager_dispatch_reload_signal(sd_event_source *s, const struct signa manager_flush_caches(m, LOG_INFO); manager_verify_all(m); + r = manager_dns_stub_start(m); + if (r < 0) + return sd_event_exit(sd_event_source_get_event(s), r); + (void) sd_notify(/* unset_environment= */ false, NOTIFY_READY_MESSAGE); return 0; } diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c index 0676c4529f2..ea3e6a689c4 100644 --- a/src/resolve/resolved.c +++ b/src/resolve/resolved.c @@ -56,11 +56,10 @@ static int run(int argc, char *argv[]) { if (r < 0) return log_error_errno(r, "Could not create runtime directory: %m"); - /* Drop privileges, but keep three caps. Note that we drop two of those too, later on (see below) */ + /* Drop privileges, but keep two caps. */ r = drop_privileges(uid, gid, - (UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */ - (UINT64_C(1) << CAP_NET_BIND_SERVICE)| /* needed to bind on port 53 */ - (UINT64_C(1) << CAP_SETPCAP) /* needed in order to drop the caps later */); + (UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */ + (UINT64_C(1) << CAP_NET_BIND_SERVICE)); /* needed to bind on port 53 */ if (r < 0) return log_error_errno(r, "Failed to drop privileges: %m"); } @@ -78,11 +77,6 @@ static int run(int argc, char *argv[]) { (void) manager_check_resolv_conf(m); - /* Let's drop the remaining caps now */ - r = capability_bounding_set_drop((UINT64_C(1) << CAP_NET_RAW), true); - if (r < 0) - return log_error_errno(r, "Failed to drop remaining caps: %m"); - notify_stop = notify_start(NOTIFY_READY_MESSAGE, NOTIFY_STOPPING_MESSAGE); r = sd_event_loop(m->event); -- 2.47.3