Package: irqbalance / 1.5.0-3

fix-permissions-for-unix-socket.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From: Andreas Henriksson <andreas@fatal.se>
Subject: Fix permissions for unix socket

irqbalance will try to create a unix socket at /run/irqbalanceN.sock
and if it fails falls back on using an abstract socket.
The abstract socket is causing problems on its own, see #915834
and the related upstream bug report.

Just dropping the :ro suffix, gives irqbalance permissions enough
to use file based unix sockets and thus doesn't need to fall
back on abstract sockets anymore. Though, since the file is
created on a tmpfs that the daemon only has access to the
irqbalance-ui aren't able to access it ..... Thus completetly
disable the separate tmpfs and expose entire /run to irqbalance
daemon for both reading and writing.

This makes all cases work, but isn't optimal from a security
perspective. Those that don't care about irqbalance-ui might
want to re-enable the separate tmpfs for the daemon.

Hopefully upstream works something out at some point making
this patch obsolete....

--- a/misc/irqbalance.service
+++ b/misc/irqbalance.service
@@ -10,9 +10,12 @@
 CapabilityBoundingSet=
 NoNewPrivileges=yes
 ReadOnlyPaths=/
-ReadWritePaths=/proc/irq
+ReadWritePaths=/proc/irq /run
 RestrictAddressFamilies=AF_UNIX
-TemporaryFileSystem=/run:ro
+# irqbalance needs /run read-write to be able to create /run/irqbalanceN.sock
+# (or it'll fall back on abstract sockets), but putting it on a separate
+# tmpfs also makes it inaccessible to irqbalance-ui so disable it for now.
+#TemporaryFileSystem=/run
 
 # If IRQBALANCE_ONESHOT environment is set, the service will exit so:
 Restart=no