diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go index bcb2200b..4aced1de 100644 --- a/internal/proxy/proxy.go +++ b/internal/proxy/proxy.go @@ -548,6 +548,13 @@ func newSocketMount(ctx context.Context, conf *Config, pc *portConfig, inst Inst if err != nil { return nil, err } + // Change file permisions to allow access for user, group, and other. + if network == "unix" { + // Best effort. If this call fails, group and other won't have write + // access. + _ = os.Chmod(address, 0777) + } + m := &socketMount{inst: inst.Name, listener: ln} return m, nil } diff --git a/internal/proxy/proxy_other_test.go b/internal/proxy/proxy_other_test.go new file mode 100644 index 00000000..75e33e2b --- /dev/null +++ b/internal/proxy/proxy_other_test.go @@ -0,0 +1,33 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build !windows +// +build !windows + +package proxy_test + +import ( + "os" + "testing" +) + +func verifySocketPermissions(t *testing.T, addr string) { + fi, err := os.Stat(addr) + if err != nil { + t.Fatalf("os.Stat(%v): %v", addr, err) + } + if fm := fi.Mode(); fm != 0777|os.ModeSocket { + t.Fatalf("file mode: want = %v, got = %v", 0777|os.ModeSocket, fm) + } +} diff --git a/internal/proxy/proxy_test.go b/internal/proxy/proxy_test.go index 3d2eea15..80d08a9a 100644 --- a/internal/proxy/proxy_test.go +++ b/internal/proxy/proxy_test.go @@ -244,6 +244,8 @@ func TestClientInitialization(t *testing.T) { } for _, addr := range tc.wantUnixAddrs { + verifySocketPermissions(t, addr) + conn, err := net.Dial("unix", addr) if err != nil { t.Fatalf("want error = nil, got = %v", err) diff --git a/internal/proxy/proxy_windows_test.go b/internal/proxy/proxy_windows_test.go new file mode 100644 index 00000000..6a4299d5 --- /dev/null +++ b/internal/proxy/proxy_windows_test.go @@ -0,0 +1,25 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package proxy_test + +import ( + "testing" +) + +func verifySocketPermissions(t *testing.T, addr string) { + // On Linux and Darwin, we check that the socket named by addr exists with + // os.Stat. That operation is not supported on Windows. + // See https://github.com/microsoft/Windows-Containers/issues/97#issuecomment-887713195 +}