From: Andreas Henriksson <firstname.lastname@example.org>
Subject: Fix permissions for unix socket
irqbalance will try to create a unix socket at /run/irqbalanceN.sock
and if it fails falls back on using an abstract socket.
The abstract socket is causing problems on its own, see #915834
and the related upstream bug report.
Just dropping the :ro suffix, gives irqbalance permissions enough
to use file based unix sockets and thus doesn't need to fall
back on abstract sockets anymore. Though, since the file is
created on a tmpfs that the daemon only has access to the
irqbalance-ui aren't able to access it ..... Thus completetly
disable the separate tmpfs and expose entire /run to irqbalance
daemon for both reading and writing.
This makes all cases work, but isn't optimal from a security
perspective. Those that don't care about irqbalance-ui might
want to re-enable the separate tmpfs for the daemon.
Hopefully upstream works something out at some point making
this patch obsolete....
@@ -10,9 +10,12 @@
+# irqbalance needs /run read-write to be able to create /run/irqbalanceN.sock
+# (or it'll fall back on abstract sockets), but putting it on a separate
+# tmpfs also makes it inaccessible to irqbalance-ui so disable it for now.
# If IRQBALANCE_ONESHOT environment is set, the service will exit so: