Disabled unix sockets being wrongfully sent to the agent when socket …

…isn't connected
metalbear-co · Feb 5, 2024 · deab1c1 · deab1c1
1 parent 514f084
commit deab1c1
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/changelog.d/+unix-socket-falsely-sent.fixed.md b/changelog.d/+unix-socket-falsely-sent.fixed.md
@@ -0,0 +1 @@
+Disabled unix sockets being wrongfully sent to the agent when socket isn't connected
diff --git a/mirrord/layer/src/socket/ops.rs b/mirrord/layer/src/socket/ops.rs
@@ -13,7 +13,7 @@ use std::{
 };
 
 use errno::set_errno;
-use libc::{c_int, c_void, hostent, sockaddr, socklen_t};
+use libc::{c_int, c_void, hostent, sockaddr, socklen_t, AF_UNIX};
 use mirrord_config::feature::network::incoming::IncomingMode;
 use mirrord_intproxy_protocol::{
     ConnMetadataRequest, ConnMetadataResponse, NetProtocol, OutgoingConnectRequest,
@@ -1135,6 +1135,13 @@ pub(super) fn send_to(
         .remove(&sockfd)
         .ok_or(Bypass::LocalFdNotFound(sockfd))?;
 
+    // we don't support unix sockets which don't use `connect`
+    if (destination.is_unix() || user_socket_info.domain == AF_UNIX)
+        && user_socket_info.user_socket_info.state != SocketState::Connected
+    {
+        return Bypass::UnixSocket(destination);
+    }
+
     // Currently this flow only handles DNS resolution.
     // So here we have to check for 2 things:
     //
@@ -1214,6 +1221,13 @@ pub(super) fn sendmsg(
         .remove(&sockfd)
         .ok_or(Bypass::LocalFdNotFound(sockfd))?;
 
+    // we don't support unix sockets which don't use `connect`
+    if (destination.is_unix() || user_socket_info.domain == AF_UNIX)
+        && user_socket_info.user_socket_info.state != SocketState::Connected
+    {
+        return Bypass::UnixSocket(destination);
+    }
+
     // Currently this flow only handles DNS resolution.
     // So here we have to check for 2 things:
     //