Improve privilege dropping; run cargo fmt

2026-03-31 17:55:36 +00:00 · 2022-04-05 01:26:40 +02:00 · 2022-04-05 01:26:40 +02:00 · c888017072
commit c888017072
parent 2ad1418175
9 changed files with 70 additions and 92 deletions
--- a/aquatic_http/src/config.rs
+++ b/aquatic_http/src/config.rs
@ -1,6 +1,9 @@
 use std::{net::SocketAddr, path::PathBuf};

-use aquatic_common::{access_list::AccessListConfig, privileges::PrivilegeConfig, cpu_pinning::asc::CpuPinningConfigAsc};
+use aquatic_common::{
+    access_list::AccessListConfig, cpu_pinning::asc::CpuPinningConfigAsc,
+    privileges::PrivilegeConfig,
+};
 use aquatic_toml_config::TomlConfig;
 use serde::Deserialize;

--- a/aquatic_http/src/lib.rs
+++ b/aquatic_http/src/lib.rs
@ -4,13 +4,13 @@ use aquatic_common::{
        glommio::{get_worker_placement, set_affinity_for_util_worker},
        WorkerIndex,
    },
-    privileges::drop_privileges_after_socket_binding,
+    privileges::PrivilegeDropper,
    rustls_config::create_rustls_config,
 };
 use common::State;
 use glommio::{channels::channel_mesh::MeshBuilder, prelude::*};
 use signal_hook::{consts::SIGUSR1, iterator::Signals};
-use std::sync::{atomic::AtomicUsize, Arc};
+use std::sync::Arc;

 use crate::config::Config;

@ -63,7 +63,7 @@ pub fn run_inner(config: Config, state: State) -> anyhow::Result<()> {
    let request_mesh_builder = MeshBuilder::partial(num_peers, SHARED_CHANNEL_SIZE);
    let response_mesh_builder = MeshBuilder::partial(num_peers, SHARED_CHANNEL_SIZE);

-    let num_bound_sockets = Arc::new(AtomicUsize::new(0));
+    let priv_dropper = PrivilegeDropper::new(config.privileges.clone(), config.socket_workers);

    let tls_config = Arc::new(create_rustls_config(
        &config.network.tls_certificate_path,
@ -78,7 +78,7 @@ pub fn run_inner(config: Config, state: State) -> anyhow::Result<()> {
        let tls_config = tls_config.clone();
        let request_mesh_builder = request_mesh_builder.clone();
        let response_mesh_builder = response_mesh_builder.clone();
-        let num_bound_sockets = num_bound_sockets.clone();
+        let priv_dropper = priv_dropper.clone();

        let placement = get_worker_placement(
            &config.cpu_pinning,
@ -95,7 +95,7 @@ pub fn run_inner(config: Config, state: State) -> anyhow::Result<()> {
                tls_config,
                request_mesh_builder,
                response_mesh_builder,
-                num_bound_sockets,
+                priv_dropper,
            )
            .await
        });
@ -130,13 +130,6 @@ pub fn run_inner(config: Config, state: State) -> anyhow::Result<()> {
        executors.push(executor);
    }

-    drop_privileges_after_socket_binding(
-        &config.privileges,
-        num_bound_sockets,
-        config.socket_workers,
-    )
-    .unwrap();
-
    if config.cpu_pinning.active {
        set_affinity_for_util_worker(
            &config.cpu_pinning,
--- a/aquatic_http/src/workers/socket.rs
+++ b/aquatic_http/src/workers/socket.rs
@ -2,11 +2,11 @@ use std::cell::RefCell;
 use std::collections::BTreeMap;
 use std::os::unix::prelude::{FromRawFd, IntoRawFd};
 use std::rc::Rc;
-use std::sync::atomic::{AtomicUsize, Ordering};
 use std::sync::Arc;
 use std::time::{Duration, Instant};

 use aquatic_common::access_list::{create_access_list_cache, AccessListArcSwap, AccessListCache};
+use aquatic_common::privileges::PrivilegeDropper;
 use aquatic_common::rustls_config::RustlsConfig;
 use aquatic_common::CanonicalSocketAddr;
 use aquatic_http_protocol::common::InfoHash;
@ -58,13 +58,12 @@ pub async fn run_socket_worker(
    tls_config: Arc<RustlsConfig>,
    request_mesh_builder: MeshBuilder<ChannelRequest, Partial>,
    response_mesh_builder: MeshBuilder<ChannelResponse, Partial>,
-    num_bound_sockets: Arc<AtomicUsize>,
+    priv_dropper: PrivilegeDropper,
 ) {
    let config = Rc::new(config);
    let access_list = state.access_list;

-    let listener = create_tcp_listener(&config);
-    num_bound_sockets.fetch_add(1, Ordering::SeqCst);
+    let listener = create_tcp_listener(&config, priv_dropper);

    let (request_senders, _) = request_mesh_builder.join(Role::Producer).await.unwrap();
    let request_senders = Rc::new(request_senders);
@ -485,7 +484,7 @@ fn calculate_request_consumer_index(config: &Config, info_hash: InfoHash) -> usi
    (info_hash.0[0] as usize) % config.request_workers
 }

-fn create_tcp_listener(config: &Config) -> TcpListener {
+fn create_tcp_listener(config: &Config, priv_dropper: PrivilegeDropper) -> TcpListener {
    let domain = if config.network.address.is_ipv4() {
        socket2::Domain::IPV4
    } else {
@ -509,5 +508,7 @@ fn create_tcp_listener(config: &Config) -> TcpListener {
        .listen(config.network.tcp_backlog)
        .unwrap_or_else(|err| panic!("socket: listen {}: {:?}", config.network.address, err));

+    priv_dropper.after_socket_creation();
+
    unsafe { TcpListener::from_raw_fd(socket.into_raw_fd()) }
 }