From c2eda0d71b16d85c05c2e318027f74e46b3bac10 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 16 Jun 2025 17:55:11 +0900
Subject: [PATCH] manager: also restart stub listner on reload

Previously, the extra stub listners were stopped but new ones were not
started. Also, the main stub listners were not restarted, hence the
new settings were not applied. This fixes the above two issues.

Note, to fix the issue, we need to keep CAP_NET_BIND_SERVICE capability
to make it allow to bind stub listner later.

Fixes #37843.

(cherry picked from commit 752cdf5051d4de17864e7b2dbfec0023207a3d4e)
---
 src/resolve/resolved-manager.c |  5 +++++
 src/resolve/resolved.c         | 12 +++---------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index 5ec946717f2..5ca40726b5d 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -603,6 +603,7 @@ static int manager_dispatch_reload_signal(sd_event_source *s, const struct signa
         dns_server_unlink_on_reload(m->dns_servers);
         dns_server_unlink_on_reload(m->fallback_dns_servers);
         m->dns_extra_stub_listeners = ordered_set_free(m->dns_extra_stub_listeners);
+        manager_dns_stub_stop(m);
         dnssd_service_clear_on_reload(m->dnssd_services);
         m->unicast_scope = dns_scope_free(m->unicast_scope);
 
@@ -640,6 +641,10 @@ static int manager_dispatch_reload_signal(sd_event_source *s, const struct signa
         manager_flush_caches(m, LOG_INFO);
         manager_verify_all(m);
 
+        r = manager_dns_stub_start(m);
+        if (r < 0)
+                return sd_event_exit(sd_event_source_get_event(s), r);
+
         (void) sd_notify(/* unset= */ false, NOTIFY_READY);
         return 0;
 }
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index d6a7f0cf5a8..ef2439ee119 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -58,11 +58,10 @@ static int run(int argc, char *argv[]) {
                 if (r < 0)
                         return log_error_errno(r, "Could not create runtime directory: %m");
 
-                /* Drop privileges, but keep three caps. Note that we drop two of those too, later on (see below) */
+                /* Drop privileges, but keep two caps. */
                 r = drop_privileges(uid, gid,
-                                    (UINT64_C(1) << CAP_NET_RAW)|          /* needed for SO_BINDTODEVICE */
-                                    (UINT64_C(1) << CAP_NET_BIND_SERVICE)| /* needed to bind on port 53 */
-                                    (UINT64_C(1) << CAP_SETPCAP)           /* needed in order to drop the caps later */);
+                                    (UINT64_C(1) << CAP_NET_RAW)|           /* needed for SO_BINDTODEVICE */
+                                    (UINT64_C(1) << CAP_NET_BIND_SERVICE)); /* needed to bind on port 53 */
                 if (r < 0)
                         return log_error_errno(r, "Failed to drop privileges: %m");
         }
@@ -80,11 +79,6 @@ static int run(int argc, char *argv[]) {
 
         (void) manager_check_resolv_conf(m);
 
-        /* Let's drop the remaining caps now */
-        r = capability_bounding_set_drop((UINT64_C(1) << CAP_NET_RAW), true);
-        if (r < 0)
-                return log_error_errno(r, "Failed to drop remaining caps: %m");
-
         notify_stop = notify_start(NOTIFY_READY, NOTIFY_STOPPING);
 
         r = sd_event_loop(m->event);
-- 
2.47.3