From 87bfec5e55487aea976691ff40552242d1bfa94b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joakim=20Frosteg=C3=A5rd?= Date: Wed, 6 Apr 2022 18:51:56 +0200 Subject: [PATCH] http_private: use PrivilegeDropper --- aquatic_http_private/src/lib.rs | 15 +++++++++++++-- aquatic_http_private/src/workers/socket/mod.rs | 12 +++++++++--- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/aquatic_http_private/src/lib.rs b/aquatic_http_private/src/lib.rs index 45d3170..88609e1 100644 --- a/aquatic_http_private/src/lib.rs +++ b/aquatic_http_private/src/lib.rs @@ -4,7 +4,9 @@ mod workers; use std::{collections::VecDeque, sync::Arc}; -use aquatic_common::{rustls_config::create_rustls_config, PanicSentinelWatcher}; +use aquatic_common::{ + privileges::PrivilegeDropper, rustls_config::create_rustls_config, PanicSentinelWatcher, +}; use common::ChannelRequestSender; use dotenv::dotenv; use signal_hook::{consts::SIGTERM, iterator::Signals}; @@ -36,6 +38,8 @@ pub fn run(config: Config) -> anyhow::Result<()> { } let (sentinel_watcher, sentinel) = PanicSentinelWatcher::create_with_sentinel(); + let priv_dropper = PrivilegeDropper::new(config.privileges.clone(), config.socket_workers); + let mut handles = Vec::new(); for _ in 0..config.socket_workers { @@ -43,11 +47,18 @@ pub fn run(config: Config) -> anyhow::Result<()> { let config = config.clone(); let tls_config = tls_config.clone(); let request_sender = ChannelRequestSender::new(request_senders.clone()); + let priv_dropper = priv_dropper.clone(); let handle = ::std::thread::Builder::new() .name("socket".into()) .spawn(move || { - workers::socket::run_socket_worker(sentinel, config, tls_config, request_sender) + workers::socket::run_socket_worker( + sentinel, + config, + tls_config, + request_sender, + priv_dropper, + ) })?; handles.push(handle); diff --git a/aquatic_http_private/src/workers/socket/mod.rs b/aquatic_http_private/src/workers/socket/mod.rs index 13304aa..24e561b 100644 --- a/aquatic_http_private/src/workers/socket/mod.rs +++ b/aquatic_http_private/src/workers/socket/mod.rs @@ -8,7 +8,7 @@ use std::{ }; use anyhow::Context; -use aquatic_common::{rustls_config::RustlsConfig, PanicSentinel}; +use aquatic_common::{privileges::PrivilegeDropper, rustls_config::RustlsConfig, PanicSentinel}; use axum::{extract::connect_info::Connected, routing::get, Extension, Router}; use hyper::server::conn::AddrIncoming; use sqlx::mysql::MySqlPoolOptions; @@ -27,8 +27,9 @@ pub fn run_socket_worker( config: Config, tls_config: Arc, request_sender: ChannelRequestSender, + priv_dropper: PrivilegeDropper, ) -> anyhow::Result<()> { - let tcp_listener = create_tcp_listener(config.network.address)?; + let tcp_listener = create_tcp_listener(config.network.address, priv_dropper)?; let runtime = tokio::runtime::Builder::new_current_thread() .enable_all() @@ -72,7 +73,10 @@ async fn run_app( Ok(()) } -fn create_tcp_listener(addr: SocketAddr) -> anyhow::Result { +fn create_tcp_listener( + addr: SocketAddr, + priv_dropper: PrivilegeDropper, +) -> anyhow::Result { let domain = if addr.is_ipv4() { socket2::Domain::IPV4 } else { @@ -94,5 +98,7 @@ fn create_tcp_listener(addr: SocketAddr) -> anyhow::Result { .listen(1024) .with_context(|| format!("listen on {}", addr))?; + priv_dropper.after_socket_creation()?; + Ok(socket.into()) }