From d602d568e01c5df026a921a25b67a7c77d3eefc4 Mon Sep 17 00:00:00 2001 From: Valentine Krasnobaeva Date: Mon, 29 Apr 2024 10:38:46 +0200 Subject: [PATCH] MEIDUM: unix sock: use my_socketat to create bind socket As UNIX Domain sockets could be attached to Linux namespaces (see more details about it from the Linux kernel patch set below: https://lore.kernel.org/netdev/m1hbl7hxo3.fsf@fess.ebiederm.org), it is better to use my_socket_at() in order to create UNIX listener's socket. my_socket_at() takes in account a network namespace, that may be configured for a frontend in the bind line: frontend fe_foo ... bind uxst@frontend.sock user haproxy group haproxy mode 660 namespace frontend Like this, namespace aware applications as netstat for example, will see this listening socket in its 'frontend' namespace and not in the root namespace as it was before. It is important to mention, that fixes in Linux kernel referenced above allow to connect to this listener's socket from the root and from any other namespace. UNIX Domain socket is protected by its permission set, which must be set with caution on its inode. --- src/sock_unix.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sock_unix.c b/src/sock_unix.c index ef749a53a..0f9bc9a38 100644 --- a/src/sock_unix.c +++ b/src/sock_unix.c @@ -255,8 +255,8 @@ int sock_unix_bind_receiver(struct receiver *rx, char **errmsg) } addr.sun_family = AF_UNIX; - /* WT: shouldn't we use my_socketat(rx->netns) here instead ? */ - fd = socket(rx->proto->fam->sock_domain, rx->proto->sock_type, rx->proto->sock_prot); + fd = my_socketat(rx->settings->netns, rx->proto->fam->sock_domain, + rx->proto->sock_type, rx->proto->sock_prot); if (fd < 0) { err |= ERR_FATAL | ERR_ALERT; memprintf(errmsg, "cannot create receiving socket (%s)", strerror(errno));