From ee9d721b7ba0dd7bea6c011de9466f32cf7cd496 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 20 Nov 2023 13:25:27 +0100
Subject: [PATCH] socket: set close-on-exec on all reusable sockets

Set the CLOEXEC flag on all reusable sockets in the initialization to
avoid leaking them to sendmail (mailonchange directive) in case the
chrony configuration doesn't use all sockets provided by systemd.
---
 socket.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/socket.c b/socket.c
index ff5c3fc..ba4625d 100644
--- a/socket.c
+++ b/socket.c
@@ -268,9 +268,9 @@ static int
 set_socket_flags(int sock_fd, int flags)
 {
   /* Close the socket automatically on exec */
-  if (
+  if (!SCK_IsReusable(sock_fd) &&
 #ifdef SOCK_CLOEXEC
-      (SCK_IsReusable(sock_fd) || (supported_socket_flags & SOCK_CLOEXEC) == 0) &&
+      (supported_socket_flags & SOCK_CLOEXEC) == 0 &&
 #endif
       !UTI_FdSetCloexec(sock_fd))
     return 0;
@@ -1295,6 +1295,8 @@ SCK_PreInitialise(void)
 void
 SCK_Initialise(int family)
 {
+  int fd;
+
   ip4_enabled = family == IPADDR_INET4 || family == IPADDR_UNSPEC;
 #ifdef FEAT_IPV6
   ip6_enabled = family == IPADDR_INET6 || family == IPADDR_UNSPEC;
@@ -1323,6 +1325,9 @@ SCK_Initialise(int family)
     supported_socket_flags |= SOCK_NONBLOCK;
 #endif
 
+  for (fd = first_reusable_fd; fd < first_reusable_fd + reusable_fds; fd++)
+    UTI_FdSetCloexec(fd);
+
   initialised = 1;
 }