Make sure we close bpf outer map fd in systemd-executor

Not doing so leaks it into the child service and causes selinux
denials.

diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c
index 56c4f4da8a95084188929dc79dfc9612864cc762..6c19cd42a2465bdec695d3f9247b6a88e6804191 100644 (file)
--- a/src/core/execute-serialize.c
+++ b/src/core/execute-serialize.c
@@ -1625,6 +1625,12 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) {
                         if (fd < 0)
                                 continue;
 
+                        /* This is special and relies on close-on-exec semantics, make sure it's
+                         * there */
+                        r = fd_cloexec(fd, true);
+                        if (r < 0)
+                                return r;
+
                         p->bpf_outer_map_fd = fd;
                 } else if ((val = startswith(l, "exec-parameters-notify-socket="))) {
                         r = free_and_strdup(&p->notify_socket, val);