From 4a3d57a47a97645b9dcc89f0256aa9613b02b38a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 17 Nov 2025 17:57:24 +0100
Subject: [PATCH] network: gracefully disable resolve hook when socket is
 disabled

systemd-networkd cannot create the directory /run/systemd/resolve.hook/. Even
if the directory exists, it is not owned by systemd-network user/group, so
systemd-networkd cannot create socket file in the directory. Hence, if the
systemd-networkd-resolve-hook.socket unit is disabled, networkd fails to open
the varlink socket, and fail to start:

  systemd-networkd[1304645]: Failed to bind to systemd-resolved hook Varlink socket: Permission denied
  systemd-networkd[1304645]: Could not set up manager: Permission denied
  systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=1/FAILURE
  systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
  systemd[1]: Failed to start systemd-networkd.service - Network Management.

If the socket unit is disabled, that should mean the system administrator wants
to disable the feature. Let's not try to setup the varlink socket in that case.

Now the resolve hook feature can be toggled by enabling/disabling the socket
unit, let's drop the $SYSTEMD_NETWORK_RESOLVE_HOOK environment variable.

Follow-up for a7fa29b1b52210e33f4e43efc1a2f06b7c7233c0.
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
---
 src/network/networkd-resolve-hook.c | 24 ++++++++++++++----------
 test/networkd-test.py               |  6 ------
 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/src/network/networkd-resolve-hook.c b/src/network/networkd-resolve-hook.c
index 6c437be9db6..3abe8262e2a 100644
--- a/src/network/networkd-resolve-hook.c
+++ b/src/network/networkd-resolve-hook.c
@@ -5,12 +5,14 @@
 #include "sd-varlink.h"
 
 #include "alloc-util.h"
+#include "argv-util.h"
 #include "dns-answer.h"
 #include "dns-domain.h"
 #include "dns-packet.h"
 #include "dns-question.h"
 #include "dns-rr.h"
 #include "env-util.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "networkd-link.h"
 #include "networkd-manager.h"
@@ -214,17 +216,14 @@ int manager_varlink_init_resolve_hook(Manager *m, int fd) {
         if (m->varlink_resolve_hook_server)
                 return 0;
 
-        r = getenv_bool("SYSTEMD_NETWORK_RESOLVE_HOOK");
-        if (r < 0 && r != -ENXIO)
-                log_warning_errno(r, "Failed to parse $SYSTEMD_NETWORK_RESOLVE_HOOK, ignoring: %m");
-        if (r == 0) {
-                log_notice("Resolve hook disabled via $SYSTEMD_NETWORK_RESOLVE_HOOK.");
+        if (fd < 0 && invoked_by_systemd()) {
+                log_debug("systemd-networkd-resolve-hook.socket seems to be disabled, not installing varlink server.");
                 return 0;
         }
 
         r = varlink_server_new(&s, SD_VARLINK_SERVER_ACCOUNT_UID|SD_VARLINK_SERVER_INHERIT_USERDATA, m);
         if (r < 0)
-                return log_error_errno(r, "Failed to allocate varlink server object: %m");
+                return log_error_errno(r, "Failed to allocate varlink server: %m");
 
         (void) sd_varlink_server_set_description(s, "varlink-resolve-hook");
 
@@ -243,12 +242,17 @@ int manager_varlink_init_resolve_hook(Manager *m, int fd) {
         if (r < 0)
                 return log_error_errno(r, "Failed to bind on resolve hook disconnection events: %m");
 
-        if (fd < 0)
-                r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Network", 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
-        else
+        if (fd < 0) {
+                r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Network",
+                                                     0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+                if (ERRNO_IS_NEG_PRIVILEGE(r)) {
+                        log_info_errno(r, "Failed to bind to systemd-resolved hook varlink socket, ignoring: %m");
+                        return 0;
+                }
+        } else
                 r = sd_varlink_server_listen_fd(s, fd);
         if (r < 0)
-                return log_error_errno(r, "Failed to bind to systemd-resolved hook Varlink socket: %m");
+                return log_error_errno(r, "Failed to bind to systemd-resolved hook varlink socket: %m");
 
         TAKE_FD(fd_close);
 
diff --git a/test/networkd-test.py b/test/networkd-test.py
index 691f58b2d3a..a082f5456fc 100755
--- a/test/networkd-test.py
+++ b/test/networkd-test.py
@@ -97,9 +97,6 @@ def setUpModule():
     if os.path.isdir('/run/systemd/resolve'):
         os.chmod('/run/systemd/resolve', 0o755)
         shutil.chown('/run/systemd/resolve', 'systemd-resolve', 'systemd-resolve')
-    if os.path.isdir('/run/systemd/resolve.hook'):
-        os.chmod('/run/systemd/resolve.hook', 0o755)
-        shutil.chown('/run/systemd/resolve.hook', 'systemd-network', 'systemd-network')
     if os.path.isdir('/run/systemd/netif'):
         os.chmod('/run/systemd/netif', 0o755)
         shutil.chown('/run/systemd/netif', 'systemd-network', 'systemd-network')
@@ -976,9 +973,6 @@ EOF
 # Hence, 'networkctl persistent-storage yes' cannot be used.
 export SYSTEMD_NETWORK_PERSISTENT_STORAGE_READY=1
 
-# Don't try to register resolved hook for our testcase
-export SYSTEMD_NETWORK_RESOLVE_HOOK=0
-
 # Generate debugging logs.
 export SYSTEMD_LOG_LEVEL=debug
 
-- 
2.47.3