tree-wide: relax access mode of private Varlink sockets a bit

diff --git a/src/libsystemd/sd-varlink/sd-varlink.c b/src/libsystemd/sd-varlink/sd-varlink.c
index 9f06f6926555c4414aa03bdd386c3b85a5a33869..048dbb474725a4503699ee1812492460f6f40d85 100644 (file)
--- a/src/libsystemd/sd-varlink/sd-varlink.c
+++ b/src/libsystemd/sd-varlink/sd-varlink.c
@@ -3452,6 +3452,13 @@ _public_ int sd_varlink_server_listen_fd(sd_varlink_server *s, int fd) {
         return 0;
 }
 
+static mode_t default_listen_mode(sd_varlink_server_flags_t flags) {
+        /* NB: we use 0644 rather than 0600 here, because it's the "w" flag that controls connect()
+         * privileges, but leaving the "r" flag on allows others to read our xattrs, which is good because it
+         * makes our sockets recognizable as varlink, even if not connectible. */
+        return (flags & (SD_VARLINK_SERVER_ROOT_ONLY|SD_VARLINK_SERVER_MYSELF_ONLY)) != 0 ? 0644 : 0666;
+}
+
 _public_ int sd_varlink_server_listen_address(sd_varlink_server *s, const char *address, mode_t m) {
         _cleanup_(varlink_server_socket_freep) VarlinkServerSocket *ss = NULL;
         union sockaddr_union sockaddr;
@@ -3461,6 +3468,12 @@ _public_ int sd_varlink_server_listen_address(sd_varlink_server *s, const char *
 
         assert_return(s, -EINVAL);
         assert_return(address, -EINVAL);
+
+        /* NB: we resolve m being MODE_INVALID before checking SD_VARLINK_SERVER_MODE_MKDIR_0755, since that
+         * flag is not defined for MODE_INVALID (if we'd check we'd see it always set...) */
+        if (m == MODE_INVALID)
+                m = default_listen_mode(s->flags);
+
         assert_return((m & ~(0777|SD_VARLINK_SERVER_MODE_MKDIR_0755)) == 0, -EINVAL);
 
         /* Validate that the definition of our flag doesn't collide with the official mode_t bits. Thankfully
@@ -3636,7 +3649,7 @@ _public_ int sd_varlink_server_listen_auto(sd_varlink_server *s) {
                 if (streq(e, "-"))
                         r = sd_varlink_server_add_connection_stdio(s, /* ret= */ NULL);
                 else
-                        r = sd_varlink_server_listen_address(s, e, FLAGS_SET(s->flags, SD_VARLINK_SERVER_ROOT_ONLY) ? 0600 : 0666);
+                        r = sd_varlink_server_listen_address(s, e, default_listen_mode(s->flags));
                 if (r < 0)
                         return r;
 

diff --git a/src/udev/udev-varlink.c b/src/udev/udev-varlink.c
index 355e5a7860530dba5b09772d6953768d44ce297c..183265fc5353c90c2724f24ad9015f9e2f396b4d 100644 (file)
--- a/src/udev/udev-varlink.c
+++ b/src/udev/udev-varlink.c
@@ -189,7 +189,7 @@ int manager_start_varlink_server(Manager *manager, int fd) {
                 return log_error_errno(r, "Failed to attach Varlink connection to event loop: %m");
 
         if (fd < 0)
-                r = sd_varlink_server_listen_address(v, UDEV_VARLINK_ADDRESS, 0600);
+                r = sd_varlink_server_listen_address(v, UDEV_VARLINK_ADDRESS, 0644);
         else
                 r = sd_varlink_server_listen_fd(v, fd);
         if (r < 0)

diff --git a/src/vmspawn/vmspawn-varlink.c b/src/vmspawn/vmspawn-varlink.c
index 57230c8e8f45d095396c7a3d952320b15b25e0f2..b75b8daa994550581b9e13eec818cb4710ef614f 100644 (file)
--- a/src/vmspawn/vmspawn-varlink.c
+++ b/src/vmspawn/vmspawn-varlink.c
@@ -551,7 +551,7 @@ int vmspawn_varlink_setup(
         if (!listen_address)
                 return log_oom();
 
-        r = sd_varlink_server_listen_address(ctx->varlink_server, listen_address, 0600);
+        r = sd_varlink_server_listen_address(ctx->varlink_server, listen_address, 0644);
         if (r < 0)
                 return log_error_errno(r, "Failed to listen on %s: %m", listen_address);