qemu/util/systemd.c
Eric Blake 7ade2b186d systemd: Also clear LISTEN_FDNAMES during systemd socket activation
Some time after systemd documented LISTEN_PID and LISTEN_FDS for
socket activation, they later added LISTEN_FDNAMES; now documented at:
https://www.freedesktop.org/software/systemd/man/sd_listen_fds.html

In particular, look at the implementation of sd_listen_fds_with_names():
https://github.com/systemd/systemd/blob/main/src/libsystemd/sd-daemon/sd-daemon.c

If we ever pass LISTEN_PID=xxx and LISTEN_FDS=n to a child process,
but leave LISTEN_FDNAMES=... unchanged as inherited from our parent
process, then our child process using sd_listen_fds_with_names() might
see a mismatch in the number of names (unexpected -EINVAL failure), or
even if the number of names matches the values of those names may be
unexpected (with even less predictable results).

Usually, this is not an issue - the point of LISTEN_PID is to tell
systemd socket activation to ignore all other LISTEN_* if they were
not directed to this particular pid.  But if we end up consuming a
socket directed to this qemu process, and later decide to spawn a
child process that also needs systemd socket activation, we must
ensure we are not leaking any stale systemd variables through to that
child.  The easiest way to do this is to wipe ALL LISTEN_* variables
at the time we consume a socket, even if we do not yet care about a
LISTEN_FDNAMES passed in from the parent process.

See also https://lists.freedesktop.org/archives/systemd-devel/2023-March/048920.html

Thanks: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20230324153349.1123774-1-eblake@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2023-05-03 14:00:08 -05:00

80 lines
1.9 KiB
C

/*
* systemd socket activation support
*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
*
* Authors:
* Richard W.M. Jones <rjones@redhat.com>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "qemu/systemd.h"
#include "qemu/cutils.h"
#include "qemu/error-report.h"
#ifndef _WIN32
unsigned int check_socket_activation(void)
{
const char *s;
unsigned long pid;
unsigned long nr_fds;
unsigned int i;
int fd;
int f;
int err;
s = getenv("LISTEN_PID");
if (s == NULL) {
return 0;
}
err = qemu_strtoul(s, NULL, 10, &pid);
if (err) {
return 0;
}
if (pid != getpid()) {
return 0;
}
s = getenv("LISTEN_FDS");
if (s == NULL) {
return 0;
}
err = qemu_strtoul(s, NULL, 10, &nr_fds);
if (err) {
return 0;
}
assert(nr_fds <= UINT_MAX);
/* So these are not passed to any child processes we might start. */
unsetenv("LISTEN_FDS");
unsetenv("LISTEN_PID");
unsetenv("LISTEN_FDNAMES");
/* So the file descriptors don't leak into child processes. */
for (i = 0; i < nr_fds; ++i) {
fd = FIRST_SOCKET_ACTIVATION_FD + i;
f = fcntl(fd, F_GETFD);
if (f == -1 || fcntl(fd, F_SETFD, f | FD_CLOEXEC) == -1) {
/* If we cannot set FD_CLOEXEC then it probably means the file
* descriptor is invalid, so socket activation has gone wrong
* and we should exit.
*/
error_report("Socket activation failed: "
"invalid file descriptor fd = %d: %s",
fd, g_strerror(errno));
exit(EXIT_FAILURE);
}
}
return (unsigned int) nr_fds;
}
#else /* !_WIN32 */
unsigned int check_socket_activation(void)
{
return 0;
}
#endif