From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 30 Nov 2023 10:01:14 +0000 (+0100)
Subject: Make sure we close bpf outer map fd in systemd-executor
X-Git-Tag: v255-rc4~19
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef90e8f9db911626c8f5c18c49cf6fe445afdefb;p=thirdparty%2Fsystemd.git

Make sure we close bpf outer map fd in systemd-executor

Not doing so leaks it into the child service and causes selinux
denials.
---

diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c
index 56c4f4da8a9..6c19cd42a24 100644
--- a/src/core/execute-serialize.c
+++ b/src/core/execute-serialize.c
@@ -1625,6 +1625,12 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) {
                         if (fd < 0)
                                 continue;
 
+                        /* This is special and relies on close-on-exec semantics, make sure it's
+                         * there */
+                        r = fd_cloexec(fd, true);
+                        if (r < 0)
+                                return r;
+
                         p->bpf_outer_map_fd = fd;
                 } else if ((val = startswith(l, "exec-parameters-notify-socket="))) {
                         r = free_and_strdup(&p->notify_socket, val);