Add -z option to s6-tlsc/s6-tlsd to clean TLS env vars before spawning (default)

2 files changed, 22 insertions, 0 deletions

diff --git a/src/libs6net/deps-lib/s6net b/src/libs6net/deps-lib/s6net
index 27067c4..b8be843 100644
--- a/src/libs6net/deps-lib/s6net
+++ b/src/libs6net/deps-lib/s6net
@@ -2,4 +2,5 @@ s6net_ident_client.o
 s6net_ident_reply_get.o
 s6net_ident_reply_parse.o
 s6net_ident_error.o
+s6net_clean_tls_and_spawn.o
 -lskarnet
diff --git a/src/libs6net/s6net_clean_tls_and_spawn.c b/src/libs6net/s6net_clean_tls_and_spawn.c
new file mode 100644
index 0000000..67ba79b
--- /dev/null
+++ b/src/libs6net/s6net_clean_tls_and_spawn.c
@@ -0,0 +1,21 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <skalibs/env.h>
+#include <skalibs/djbunix.h>
+#include <s6-networking/s6net-utils.h>
+
+pid_t s6net_clean_tls_and_spawn (char const *const *argv, char const *const *envp, int *fds, uint32_t options)
+{
+  if (!(options & 1)) return child_spawn2(argv[0], argv, envp, fds) ;
+  else
+  {
+    char const modifs[] = "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" ;
+    size_t modiflen = sizeof(modifs) ;
+    size_t n = env_len(envp) ;
+    char const *newenv[n + 7] ;
+    size_t newenvlen = env_merge(newenv, n+7, envp, n, modifs, modiflen) ;
+    if (!newenvlen) return 0 ;
+    return child_spawn2(argv[0], argv, newenv, fds) ;
+  }
+}