YGGverse/aquatic
1
0
Fork 0
mirror of https://github.com/YGGverse/aquatic.git synced 2026-03-31 17:55:36 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

http_private: use PrivilegeDropper

Browse source
This commit is contained in:
Joakim Frostegård 2022-04-06 18:51:56 +02:00
parent a4c7e79dc9
commit 87bfec5e55
2 changed files with 22 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

15
aquatic_http_private/src/lib.rs
View file

@ -4,7 +4,9 @@ mod workers;
use std::{collections::VecDeque, sync::Arc}; use std::{collections::VecDeque, sync::Arc};
use aquatic_common::{rustls_config::create_rustls_config, PanicSentinelWatcher}; use aquatic_common::{
privileges::PrivilegeDropper, rustls_config::create_rustls_config, PanicSentinelWatcher,
};
use common::ChannelRequestSender; use common::ChannelRequestSender;
use dotenv::dotenv; use dotenv::dotenv;
use signal_hook::{consts::SIGTERM, iterator::Signals}; use signal_hook::{consts::SIGTERM, iterator::Signals};
@ -36,6 +38,8 @@ pub fn run(config: Config) -> anyhow::Result<()> {
} }
let (sentinel_watcher, sentinel) = PanicSentinelWatcher::create_with_sentinel(); let (sentinel_watcher, sentinel) = PanicSentinelWatcher::create_with_sentinel();
let priv_dropper = PrivilegeDropper::new(config.privileges.clone(), config.socket_workers);
let mut handles = Vec::new(); let mut handles = Vec::new();
for _ in 0..config.socket_workers { for _ in 0..config.socket_workers {
@ -43,11 +47,18 @@ pub fn run(config: Config) -> anyhow::Result<()> {
let config = config.clone(); let config = config.clone();
let tls_config = tls_config.clone(); let tls_config = tls_config.clone();
let request_sender = ChannelRequestSender::new(request_senders.clone()); let request_sender = ChannelRequestSender::new(request_senders.clone());
let priv_dropper = priv_dropper.clone();
let handle = ::std::thread::Builder::new() let handle = ::std::thread::Builder::new()
.name("socket".into()) .name("socket".into())
.spawn(move || { .spawn(move || {
workers::socket::run_socket_worker(sentinel, config, tls_config, request_sender) workers::socket::run_socket_worker(
sentinel,
config,
tls_config,
request_sender,
priv_dropper,
)
})?; })?;
handles.push(handle); handles.push(handle);

12
aquatic_http_private/src/workers/socket/mod.rs
View file

@ -8,7 +8,7 @@ use std::{
}; };
use anyhow::Context; use anyhow::Context;
use aquatic_common::{rustls_config::RustlsConfig, PanicSentinel}; use aquatic_common::{privileges::PrivilegeDropper, rustls_config::RustlsConfig, PanicSentinel};
use axum::{extract::connect_info::Connected, routing::get, Extension, Router}; use axum::{extract::connect_info::Connected, routing::get, Extension, Router};
use hyper::server::conn::AddrIncoming; use hyper::server::conn::AddrIncoming;
use sqlx::mysql::MySqlPoolOptions; use sqlx::mysql::MySqlPoolOptions;
@ -27,8 +27,9 @@ pub fn run_socket_worker(
config: Config, config: Config,
tls_config: Arc<RustlsConfig>, tls_config: Arc<RustlsConfig>,
request_sender: ChannelRequestSender, request_sender: ChannelRequestSender,
priv_dropper: PrivilegeDropper,
) -> anyhow::Result<()> { ) -> anyhow::Result<()> {
let tcp_listener = create_tcp_listener(config.network.address)?; let tcp_listener = create_tcp_listener(config.network.address, priv_dropper)?;
let runtime = tokio::runtime::Builder::new_current_thread() let runtime = tokio::runtime::Builder::new_current_thread()
.enable_all() .enable_all()
@ -72,7 +73,10 @@ async fn run_app(
Ok(()) Ok(())
} }
fn create_tcp_listener(addr: SocketAddr) -> anyhow::Result<TcpListener> { fn create_tcp_listener(
addr: SocketAddr,
priv_dropper: PrivilegeDropper,
) -> anyhow::Result<TcpListener> {
let domain = if addr.is_ipv4() { let domain = if addr.is_ipv4() {
socket2::Domain::IPV4 socket2::Domain::IPV4
} else { } else {
@ -94,5 +98,7 @@ fn create_tcp_listener(addr: SocketAddr) -> anyhow::Result<TcpListener> {
.listen(1024) .listen(1024)
.with_context(|| format!("listen on {}", addr))?; .with_context(|| format!("listen on {}", addr))?;
priv_dropper.after_socket_creation()?;
Ok(socket.into()) Ok(socket.into())
} }