http_private: use PrivilegeDropper

aquatic_http_private/src/lib.rs

@@ -4,7 +4,9 @@ mod workers;
 
 use std::{collections::VecDeque, sync::Arc};
 
-use aquatic_common::{rustls_config::create_rustls_config, PanicSentinelWatcher};
+use aquatic_common::{
+    privileges::PrivilegeDropper, rustls_config::create_rustls_config, PanicSentinelWatcher,
+};
 use common::ChannelRequestSender;
 use dotenv::dotenv;
 use signal_hook::{consts::SIGTERM, iterator::Signals};
@@ -36,6 +38,8 @@ pub fn run(config: Config) -> anyhow::Result<()> {
     }
 
     let (sentinel_watcher, sentinel) = PanicSentinelWatcher::create_with_sentinel();
+    let priv_dropper = PrivilegeDropper::new(config.privileges.clone(), config.socket_workers);
+
     let mut handles = Vec::new();
 
     for _ in 0..config.socket_workers {
@@ -43,11 +47,18 @@ pub fn run(config: Config) -> anyhow::Result<()> {
         let config = config.clone();
         let tls_config = tls_config.clone();
         let request_sender = ChannelRequestSender::new(request_senders.clone());
+        let priv_dropper = priv_dropper.clone();
 
         let handle = ::std::thread::Builder::new()
             .name("socket".into())
             .spawn(move || {
-                workers::socket::run_socket_worker(sentinel, config, tls_config, request_sender)
+                workers::socket::run_socket_worker(
+                    sentinel,
+                    config,
+                    tls_config,
+                    request_sender,
+                    priv_dropper,
+                )
             })?;
 
         handles.push(handle);

aquatic_http_private/src/workers/socket/mod.rs

@@ -8,7 +8,7 @@ use std::{
 };
 
 use anyhow::Context;
-use aquatic_common::{rustls_config::RustlsConfig, PanicSentinel};
+use aquatic_common::{privileges::PrivilegeDropper, rustls_config::RustlsConfig, PanicSentinel};
 use axum::{extract::connect_info::Connected, routing::get, Extension, Router};
 use hyper::server::conn::AddrIncoming;
 use sqlx::mysql::MySqlPoolOptions;
@@ -27,8 +27,9 @@ pub fn run_socket_worker(
     config: Config,
     tls_config: Arc<RustlsConfig>,
     request_sender: ChannelRequestSender,
+    priv_dropper: PrivilegeDropper,
 ) -> anyhow::Result<()> {
-    let tcp_listener = create_tcp_listener(config.network.address)?;
+    let tcp_listener = create_tcp_listener(config.network.address, priv_dropper)?;
 
     let runtime = tokio::runtime::Builder::new_current_thread()
         .enable_all()
@@ -72,7 +73,10 @@ async fn run_app(
     Ok(())
 }
 
-fn create_tcp_listener(addr: SocketAddr) -> anyhow::Result<TcpListener> {
+fn create_tcp_listener(
+    addr: SocketAddr,
+    priv_dropper: PrivilegeDropper,
+) -> anyhow::Result<TcpListener> {
     let domain = if addr.is_ipv4() {
         socket2::Domain::IPV4
     } else {
@@ -94,5 +98,7 @@ fn create_tcp_listener(addr: SocketAddr) -> anyhow::Result<TcpListener> {
         .listen(1024)
         .with_context(|| format!("listen on {}", addr))?;
 
+    priv_dropper.after_socket_creation()?;
+
     Ok(socket.into())
 }