From: Valentine Krasnobaeva Date: Mon, 29 Apr 2024 08:38:46 +0000 (+0200) Subject: MEIDUM: unix sock: use my_socketat to create bind socket X-Git-Tag: v3.0-dev10~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d602d568e01c5df026a921a25b67a7c77d3eefc4;p=thirdparty%2Fhaproxy.git MEIDUM: unix sock: use my_socketat to create bind socket As UNIX Domain sockets could be attached to Linux namespaces (see more details about it from the Linux kernel patch set below: https://lore.kernel.org/netdev/m1hbl7hxo3.fsf@fess.ebiederm.org), it is better to use my_socket_at() in order to create UNIX listener's socket. my_socket_at() takes in account a network namespace, that may be configured for a frontend in the bind line: frontend fe_foo ... bind uxst@frontend.sock user haproxy group haproxy mode 660 namespace frontend Like this, namespace aware applications as netstat for example, will see this listening socket in its 'frontend' namespace and not in the root namespace as it was before. It is important to mention, that fixes in Linux kernel referenced above allow to connect to this listener's socket from the root and from any other namespace. UNIX Domain socket is protected by its permission set, which must be set with caution on its inode. --- diff --git a/src/sock_unix.c b/src/sock_unix.c index ef749a53a6..0f9bc9a38d 100644 --- a/src/sock_unix.c +++ b/src/sock_unix.c @@ -255,8 +255,8 @@ int sock_unix_bind_receiver(struct receiver *rx, char **errmsg) } addr.sun_family = AF_UNIX; - /* WT: shouldn't we use my_socketat(rx->netns) here instead ? */ - fd = socket(rx->proto->fam->sock_domain, rx->proto->sock_type, rx->proto->sock_prot); + fd = my_socketat(rx->settings->netns, rx->proto->fam->sock_domain, + rx->proto->sock_type, rx->proto->sock_prot); if (fd < 0) { err |= ERR_FATAL | ERR_ALERT; memprintf(errmsg, "cannot create receiving socket (%s)", strerror(errno));