From 42458c2489abd50142517e6476db30acf4ac10d5 Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Fri, 9 Oct 2020 09:50:32 -0700
Subject: [PATCH] konnectivity-server should make the socket group readable and
 writeable when it listens on the socket. Most systems have a default umask of
 022, meaning when konnectivity-server creates the socket only the user that
 it is running as will have read-write permissions to the socket. This means
 that any other process that needs to read-write to the socket needs to be run
 as the same user as konnectivity-server.

Reset the umask even if listen fails.

Move Umask and getting a uds listener to its own function and protect it
by a lock.
---
 cmd/server/main.go | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 54be511d7..5c8c8be77 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -29,6 +29,7 @@ import (
 	"os"
 	"os/signal"
 	"runtime"
+	"sync"
 	"syscall"
 
 	"github.com/google/uuid"
@@ -46,6 +47,8 @@ import (
 	"sigs.k8s.io/apiserver-network-proxy/proto/agent"
 )
 
+var udsListenerLock sync.Mutex
+
 func main() {
 	// flag.CommandLine.Parse(os.Args[1:])
 	proxy := &Proxy{}
@@ -397,6 +400,19 @@ func SetupSignalHandler() (stopCh <-chan struct{}) {
 	return stop
 }
 
+func getUDSListener(ctx context.Context, udsName string) (net.Listener, error) {
+	udsListenerLock.Lock()
+	defer udsListenerLock.Unlock()
+	oldUmask := syscall.Umask(0007)
+	defer syscall.Umask(oldUmask)
+	var lc net.ListenConfig
+	lis, err := lc.Listen(ctx, "unix", udsName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to listen(unix) name %s: %v", udsName, err)
+	}
+	return lis, nil
+}
+
 func (p *Proxy) runMasterServer(ctx context.Context, o *ProxyRunOptions, server *server.ProxyServer) (StopFunc, error) {
 	if o.udsName != "" {
 		return p.runUDSMasterServer(ctx, o, server)
@@ -414,10 +430,9 @@ func (p *Proxy) runUDSMasterServer(ctx context.Context, o *ProxyRunOptions, s *s
 	if o.mode == "grpc" {
 		grpcServer := grpc.NewServer()
 		client.RegisterProxyServiceServer(grpcServer, s)
-		var lc net.ListenConfig
-		lis, err := lc.Listen(ctx, "unix", o.udsName)
+		lis, err := getUDSListener(ctx, o.udsName)
 		if err != nil {
-			return nil, fmt.Errorf("failed to listen(unix) name %s: %v", o.udsName, err)
+			return nil, fmt.Errorf("failed to get uds listener: %v", err)
 		}
 		go grpcServer.Serve(lis)
 		stop = grpcServer.GracefulStop
@@ -430,10 +445,9 @@ func (p *Proxy) runUDSMasterServer(ctx context.Context, o *ProxyRunOptions, s *s
 		}
 		stop = func() { server.Shutdown(ctx) }
 		go func() {
-			var lc net.ListenConfig
-			udsListener, err := lc.Listen(ctx, "unix", o.udsName)
+			udsListener, err := getUDSListener(ctx, o.udsName)
 			if err != nil {
-				klog.ErrorS(err, "failed to listen on uds", "name", o.udsName)
+				klog.ErrorS(err, "failed to get uds listener")
 			}
 			defer func() {
 				udsListener.Close()