From ea898a6e0a9a812ee62b3f057fd442f21a8b0010 Mon Sep 17 00:00:00 2001 From: Deng Guangxing Date: Mon, 22 May 2023 17:46:44 +0800 Subject: [PATCH] uds and rexec socket file use least privilege Signed-off-by: Deng Guangxing --- qtfs/ipc/uds_main.c | 8 ++++++++ qtfs/ipc/uds_main.h | 1 + qtfs/rexec/rexec_server.c | 4 ++++ 3 files changed, 13 insertions(+) diff --git a/qtfs/ipc/uds_main.c b/qtfs/ipc/uds_main.c index a8d77de..dd0b9f9 100644 --- a/qtfs/ipc/uds_main.c +++ b/qtfs/ipc/uds_main.c @@ -470,10 +470,18 @@ void uds_thread_create() if ((logevt = uds_init_unix_listener(UDS_LOGLEVEL_UPD, uds_event_debug_level)) == NULL) goto end2; + if (chmod(UDS_BUILD_CONN_ADDR, UDS_FILE_MODE) < 0 || + chmod(UDS_DIAG_ADDR, UDS_FILE_MODE) < 0 || + chmod(UDS_LOGLEVEL_UPD, UDS_FILE_MODE) < 0) { + uds_err("set sock file mode to %o failed, errno:%d", UDS_FILE_MODE, errno); + goto end3; + } + ret = uds_thread_execute(); if (ret < 0) { uds_err("uds create thread failed."); } +end3: uds_del_event(logevt); end2: uds_del_event(diagevt); diff --git a/qtfs/ipc/uds_main.h b/qtfs/ipc/uds_main.h index 491332c..3903ec8 100644 --- a/qtfs/ipc/uds_main.h +++ b/qtfs/ipc/uds_main.h @@ -23,6 +23,7 @@ #define UDS_EPOLL_MAX_EVENTS 64 #define UDS_WORK_THREAD_MAX 1 // Temporarily only supports 1 thread #define UDS_FD_LIMIT 65536 +#define UDS_FILE_MODE 0600 // for least privilege extern struct uds_global_var *p_uds_var; extern GHashTable *event_tmout_hash; diff --git a/qtfs/rexec/rexec_server.c b/qtfs/rexec/rexec_server.c index 58fcf49..e0dbeea 100644 --- a/qtfs/rexec/rexec_server.c +++ b/qtfs/rexec/rexec_server.c @@ -459,6 +459,10 @@ static void rexec_server_mainloop() close(main_epoll_fd); return; } + if (chmod(REXEC_UDS_CONN, 0600) < 0) { + rexec_err("failed to set uds sock file mode:%s errno:%d", REXEC_UDS_CONN, errno); + return; + } if (rexec_set_inherit(ser.sockfd, false) < 0) { rexec_err("cs conn fd fd set inherit to false failed."); } -- Gitee