mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-11-05 20:35:44 +00:00
7ade2b186d
Some time after systemd documented LISTEN_PID and LISTEN_FDS for socket activation, they later added LISTEN_FDNAMES; now documented at: https://www.freedesktop.org/software/systemd/man/sd_listen_fds.html In particular, look at the implementation of sd_listen_fds_with_names(): https://github.com/systemd/systemd/blob/main/src/libsystemd/sd-daemon/sd-daemon.c If we ever pass LISTEN_PID=xxx and LISTEN_FDS=n to a child process, but leave LISTEN_FDNAMES=... unchanged as inherited from our parent process, then our child process using sd_listen_fds_with_names() might see a mismatch in the number of names (unexpected -EINVAL failure), or even if the number of names matches the values of those names may be unexpected (with even less predictable results). Usually, this is not an issue - the point of LISTEN_PID is to tell systemd socket activation to ignore all other LISTEN_* if they were not directed to this particular pid. But if we end up consuming a socket directed to this qemu process, and later decide to spawn a child process that also needs systemd socket activation, we must ensure we are not leaking any stale systemd variables through to that child. The easiest way to do this is to wipe ALL LISTEN_* variables at the time we consume a socket, even if we do not yet care about a LISTEN_FDNAMES passed in from the parent process. See also https://lists.freedesktop.org/archives/systemd-devel/2023-March/048920.html Thanks: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20230324153349.1123774-1-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
80 lines
1.9 KiB
C
80 lines
1.9 KiB
C
/*
|
|
* systemd socket activation support
|
|
*
|
|
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
|
*
|
|
* Authors:
|
|
* Richard W.M. Jones <rjones@redhat.com>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or later.
|
|
* See the COPYING file in the top-level directory.
|
|
*/
|
|
|
|
#include "qemu/osdep.h"
|
|
#include "qemu/systemd.h"
|
|
#include "qemu/cutils.h"
|
|
#include "qemu/error-report.h"
|
|
|
|
#ifndef _WIN32
|
|
unsigned int check_socket_activation(void)
|
|
{
|
|
const char *s;
|
|
unsigned long pid;
|
|
unsigned long nr_fds;
|
|
unsigned int i;
|
|
int fd;
|
|
int f;
|
|
int err;
|
|
|
|
s = getenv("LISTEN_PID");
|
|
if (s == NULL) {
|
|
return 0;
|
|
}
|
|
err = qemu_strtoul(s, NULL, 10, &pid);
|
|
if (err) {
|
|
return 0;
|
|
}
|
|
if (pid != getpid()) {
|
|
return 0;
|
|
}
|
|
|
|
s = getenv("LISTEN_FDS");
|
|
if (s == NULL) {
|
|
return 0;
|
|
}
|
|
err = qemu_strtoul(s, NULL, 10, &nr_fds);
|
|
if (err) {
|
|
return 0;
|
|
}
|
|
assert(nr_fds <= UINT_MAX);
|
|
|
|
/* So these are not passed to any child processes we might start. */
|
|
unsetenv("LISTEN_FDS");
|
|
unsetenv("LISTEN_PID");
|
|
unsetenv("LISTEN_FDNAMES");
|
|
|
|
/* So the file descriptors don't leak into child processes. */
|
|
for (i = 0; i < nr_fds; ++i) {
|
|
fd = FIRST_SOCKET_ACTIVATION_FD + i;
|
|
f = fcntl(fd, F_GETFD);
|
|
if (f == -1 || fcntl(fd, F_SETFD, f | FD_CLOEXEC) == -1) {
|
|
/* If we cannot set FD_CLOEXEC then it probably means the file
|
|
* descriptor is invalid, so socket activation has gone wrong
|
|
* and we should exit.
|
|
*/
|
|
error_report("Socket activation failed: "
|
|
"invalid file descriptor fd = %d: %s",
|
|
fd, g_strerror(errno));
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
}
|
|
|
|
return (unsigned int) nr_fds;
|
|
}
|
|
|
|
#else /* !_WIN32 */
|
|
unsigned int check_socket_activation(void)
|
|
{
|
|
return 0;
|
|
}
|
|
#endif
|