From 2cd04086ee555ae9b1423f6a4c5adeffd2affd72 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 17 Apr 2023 02:09:38 +0900
Subject: [PATCH] process-util: make safe_fork() unset $NOTIFY_SOCKET

Propagating $NOTIFY_SOCKET is typically dangerous. Let's unset it unless
explicitly requested to keep it.

Fixes #27288.
Replaces #27291.
---
 src/basic/process-util.c           | 8 ++++++++
 src/basic/process-util.h           | 1 +
 src/sysupdate/sysupdate-resource.c | 1 -
 src/sysupdate/sysupdate-transfer.c | 1 -
 src/udev/udevd.c                   | 2 --
 5 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 58503cf22d..a9826d94d3 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -1365,6 +1365,14 @@ int safe_fork_full(
                 }
         }
 
+        if (!FLAGS_SET(flags, FORK_KEEP_NOTIFY_SOCKET)) {
+                r = RET_NERRNO(unsetenv("NOTIFY_SOCKET"));
+                if (r < 0) {
+                        log_full_errno(prio, r, "Failed to unset $NOTIFY_SOCKET: %m");
+                        _exit(EXIT_FAILURE);
+                }
+        }
+
         if (ret_pid)
                 *ret_pid = getpid_cached();
 
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index 5188f3c605..230a0edb09 100644
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -156,6 +156,7 @@ typedef enum ForkFlags {
         FORK_FLUSH_STDIO        = 1 << 13, /* fflush() stdout (and stderr) before forking */
         FORK_NEW_USERNS         = 1 << 14, /* Run child in its own user namespace */
         FORK_CLOEXEC_OFF        = 1 << 15, /* In the child: turn off O_CLOEXEC on all fds in except_fds[] */
+        FORK_KEEP_NOTIFY_SOCKET = 1 << 16, /* Unless this specified, $NOTIFY_SOCKET will be unset. */
 } ForkFlags;
 
 int safe_fork_full(
diff --git a/src/sysupdate/sysupdate-resource.c b/src/sysupdate/sysupdate-resource.c
index c918de79cc..5f06377ade 100644
--- a/src/sysupdate/sysupdate-resource.c
+++ b/src/sysupdate/sysupdate-resource.c
@@ -284,7 +284,6 @@ static int download_manifest(
                         NULL
                 };
 
-                (void) unsetenv("NOTIFY_SOCKET");
                 execv(pull_binary_path(), (char *const*) cmdline);
                 log_error_errno(errno, "Failed to execute %s tool: %m", pull_binary_path());
                 _exit(EXIT_FAILURE);
diff --git a/src/sysupdate/sysupdate-transfer.c b/src/sysupdate/sysupdate-transfer.c
index 6789f48967..8ae58c2b1b 100644
--- a/src/sysupdate/sysupdate-transfer.c
+++ b/src/sysupdate/sysupdate-transfer.c
@@ -793,7 +793,6 @@ static int run_helper(
         if (r == 0) {
                 /* Child */
 
-                (void) unsetenv("NOTIFY_SOCKET");
                 execv(path, (char *const*) cmdline);
                 log_error_errno(errno, "Failed to execute %s tool: %m", path);
                 _exit(EXIT_FAILURE);
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index d70fccde41..c56956c378 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -706,8 +706,6 @@ static int worker_main(Manager *_manager, sd_device_monitor *monitor, sd_device
         assert(monitor);
         assert(dev);
 
-        assert_se(unsetenv("NOTIFY_SOCKET") == 0);
-
         assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, -1) >= 0);
 
         /* Reset OOM score, we only protect the main daemon. */