Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1023750rbb;
        Sun, 25 Feb 2024 15:57:13 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCW0oBdUg6xfFxtd/2Mu6yc8qd1a/mMFMzjNKl9rVBbSwCMIKqmvhZlm0F3O/Z2swoaUbWBrg30YMilqnWLvqnZMWYKFjins8AFqVBdS1Q==
X-Google-Smtp-Source: AGHT+IFmVOjjrGMA5OHGvzPQVsuRg0eJKB8kFmFZLhXelDE9OXA9MuH2x2BdiKWqeekchXgbgOoR
X-Received: by 2002:a05:6a20:d388:b0:1a0:fcf5:c930 with SMTP id iq8-20020a056a20d38800b001a0fcf5c930mr1185703pzb.27.1708905433284;
        Sun, 25 Feb 2024 15:57:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708905433; cv=pass;
        d=google.com; s=arc-20160816;
        b=Vral9X4dpA3fmJDwlpPiAcgeMjUAZRI43KY88ZocUplUdJbM/CepI1OMQFXJ6yo/Wv
         582cJ6CG+xxvCkNC60rwaTtL2vGk0m6sUGJUiAW0dKD3GAj0nE6SPQWNMoOfUASA2TIP
         YajBXs0cpz9We8YiRFpAsNyfEICrlW2SXEbXJB+X3ggK5niDrt3Vm82ro2W3CFsXclkk
         zfUOaiQ3keOd+x7ZiRIqv0wQvNzLlhqKIK5tzXxCaKlPR/ossd6yOuRHOKralObuNtHt
         h7VsppPFt+nYbSfSqPhqHKMH2TfunER3yvwlkpw+abPwY9x5je0whIlSeaHPZvKosC3U
         Fogw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature:dkim-signature
         :dkim-signature:dkim-signature;
        bh=IurPwmuUAjX6zsDna8Z2CwOq6akHYm61/vixzhal1KU=;
        fh=uOaR8hD3uwq85jp1pqX+OpKEcmH5l5Fo/S8+nHWxXUc=;
        b=ID0g5tW5HWafT3iekJyh/ROIT66de1ju+MJ3WWmaeb7RKdjfbpwuqC33FjBf1vPkiU
         WCjYD6mu/XhlMpgMVnOgJL6H+9o4eHxGQzxEbfwPRFjoCZZ+9Gqcpu10tvY74NtFnwJC
         rCVLbjuxUc1S4tDq+U+YpLtOhsKFYrAle+jXM8EFM3wbCJkZq147ky8huXMUQI7dIMks
         G13/KK8NEQRdHlVlkRlriP794iMUsqys7/tvdhnLWYLvfWeuumwsPVTPRQ+yvwKj6cAZ
         gmEJxUGUZljEr3bLI4QBsO/HHqrmuZiV12Q1jdPffq8lfU3/1BLMRIv4XcA9kpsH4SsG
         3J4Q==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=ES4rSOwA;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=RaHUHjJ7;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       arc=pass (i=1 spf=pass spfdomain=suse.de dkim=pass dkdomain=suse.de dkim=pass dkdomain=suse.de dmarc=pass fromdomain=suse.de);
       spf=pass (google.com: domain of linux-nfs+bounces-2081-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-2081-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Return-Path: <linux-nfs+bounces-2081-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id x92-20020a17090a6c6500b0029a76ded3d5si2894207pjj.87.2024.02.25.15.57.13
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 25 Feb 2024 15:57:13 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-nfs+bounces-2081-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=ES4rSOwA;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=RaHUHjJ7;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       arc=pass (i=1 spf=pass spfdomain=suse.de dkim=pass dkdomain=suse.de dkim=pass dkdomain=suse.de dmarc=pass fromdomain=suse.de);
       spf=pass (google.com: domain of linux-nfs+bounces-2081-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-nfs+bounces-2081-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id CFE1F28121A
	for <linux.lists.archive@gmail.com>; Sun, 25 Feb 2024 23:57:12 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E150E1BC31;
	Sun, 25 Feb 2024 23:57:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="ES4rSOwA";
	dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="bKcg1+38";
	dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="RaHUHjJ7";
	dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="n/BoFSb3"
X-Original-To: linux-nfs@vger.kernel.org
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CE241B94E
	for <linux-nfs@vger.kernel.org>; Sun, 25 Feb 2024 23:57:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708905430; cv=none; b=FefF+zG/M3YHwWyaya+qUxG5mqIH019myPh5Cet1SCwA7mUMaUtj2/XoaquSCjjlKY5gpiMBvqQ8bzgJ5aQcNtIUaJYRy+I+tPmWCmuBpU1iHGiZtjpKmHDRc0THbcd5IKsFKm8GZA6k96hZ6yYSQKycfLCWvl4rgWCMkzu/WwA=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708905430; c=relaxed/simple;
	bh=KHI2Z1Q4UmL1TSbIWWXhDKICyitZ4QSc+DKIfGBGygg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=qCGXNoYv+Uc/wewLqr9k+5yN2mEsIT3PirDYIBnZc0wWiM5XOxn5bLODIdV/1ydW0L9fHt0yuDaCiKhx3aZ1MmMUTtLceWLRqkBdU34jfxFq7nP160xU3lZOb3MGam/fSsbGDN4ScCUP9J83l13SBUjHWgIwPTVDxrDF9x5RRyk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de; spf=pass smtp.mailfrom=suse.de; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=ES4rSOwA; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=bKcg1+38; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=RaHUHjJ7; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=n/BoFSb3; arc=none smtp.client-ip=195.135.223.130
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.de
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out1.suse.de (Postfix) with ESMTPS id 7B7E1224AE;
	Sun, 25 Feb 2024 23:57:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1708905427; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=IurPwmuUAjX6zsDna8Z2CwOq6akHYm61/vixzhal1KU=;
	b=ES4rSOwAGT9nA3kKIZeU3M02nF0UWWuL2gVsi5gPUw4T51BUBZu7ZU+DcOKULIR5VXf7Eg
	CPTJdi4p1PHEJWe2d4shs7coDg+XXyiGgD46a8ug1hIwyQ7LJntfNcJvh7nFNQ8SqHIzam
	v/jrJc0J9HBU9cZu5ZvF8WdOldA7k1s=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1708905427;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=IurPwmuUAjX6zsDna8Z2CwOq6akHYm61/vixzhal1KU=;
	b=bKcg1+38qZpbL+XF9YSrsPIc9tWnWQa2N8uTU3AgAtA9ZIC2SZXYdEIcs399lhuKJx8mGG
	YPzM4BoGbVOVBeBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1708905425; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=IurPwmuUAjX6zsDna8Z2CwOq6akHYm61/vixzhal1KU=;
	b=RaHUHjJ71BcnqSeVGoiEjp58Q/Y61e46nt0uin+BH7XLUADeTDwB2P2QVPwIcAbeyWd6vB
	voCg42VprRZOwDlwNbTAkURzDdN6E4uoBAxv6Ph4Era3AtImoqYN7P1IfsGcf+oUCmTn5B
	HGAdnEX8YqmltP1m6lk/gZRowEfHnHw=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1708905425;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=IurPwmuUAjX6zsDna8Z2CwOq6akHYm61/vixzhal1KU=;
	b=n/BoFSb3e5ejBp8oZ8/YRBh9eJi39ry5oOZkU3LfoxTavOg8Ey3RYXWF6r4mUFM5Ctcc53
	XGBUEvRBHuHl3rAA==
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 013F413432;
	Sun, 25 Feb 2024 23:57:03 +0000 (UTC)
Received: from dovecot-director2.suse.de ([10.150.64.162])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id pBvxJc/T22XFJgAAD6G6ig
	(envelope-from <neilb@suse.de>); Sun, 25 Feb 2024 23:57:03 +0000
From: NeilBrown <neilb@suse.de>
To: Steve Dickson <steved@redhat.com>
Cc: linux-nfs@vger.kernel.org,
	Petr Vorel <pvorel@suse.cz>
Subject: [PATCH 3/4] Listen on an AF_UNIX abstract address if supported.
Date: Mon, 26 Feb 2024 10:53:55 +1100
Message-ID: <20240225235628.12473-4-neilb@suse.de>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240225235628.12473-1-neilb@suse.de>
References: <20240225235628.12473-1-neilb@suse.de>
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Level: 
X-Spamd-Bar: /
Authentication-Results: smtp-out1.suse.de;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=RaHUHjJ7;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b="n/BoFSb3"
X-Rspamd-Server: rspamd2.dmz-prg2.suse.org
X-Spamd-Result: default: False [-0.01 / 50.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];
	 TO_DN_SOME(0.00)[];
	 R_MISSING_CHARSET(2.50)[];
	 BROKEN_CONTENT_TYPE(1.50)[];
	 RCVD_COUNT_THREE(0.00)[3];
	 DKIM_TRACE(0.00)[suse.de:+];
	 MX_GOOD(-0.01)[];
	 NEURAL_HAM_SHORT(-0.20)[-1.000];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];
	 RCVD_DKIM_ARC_DNSWL_HI(-1.00)[];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[3];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 DWL_DNSWL_MED(-2.00)[suse.de:dkim];
	 DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];
	 MID_CONTAINS_FROM(1.00)[];
	 DBL_BLOCKED_OPENRESOLVER(0.00)[socket.in:url,configure.ac:url,suse.de:dkim,suse.de:email];
	 FUZZY_BLOCKED(0.00)[rspamd.com];
	 RCVD_IN_DNSWL_HI(-0.50)[2a07:de40:b281:104:10:150:64:97:from];
	 RCVD_TLS_ALL(0.00)[]
X-Spam-Score: -0.01
X-Rspamd-Queue-Id: 7B7E1224AE
X-Spam-Flag: NO

As RPC is primarily a network service it is best, on Linux, to use
network namespaces to isolate it.  However contacting rpcbind via an
AF_UNIX socket allows escape from the network namespace.
If clients could use an abstract address, that would ensure clients
contact an rpcbind in the same network namespace.

systemd can pass in a listening abstract socket by providing an '@'
prefix.  However with libtirpc 1.3.3 or earlier attempting this will
fail as the library mistakenly determines that the socket is not bound.
This generates unsightly error messages.
So it is best not to request the abstract address when it is not likely
to work.

A patch to fix this also proposes adding a define for
_PATH_RPCBINDSOCK_ABSTRACT to the header files.  We can check for this
and only include the new ListenStream when that define is present.

Signed-off-by: NeilBrown <neilb@suse.de>
---
 configure.ac                                  | 13 ++++++++++++-
 systemd/{rpcbind.socket => rpcbind.socket.in} |  1 +
 2 files changed, 13 insertions(+), 1 deletion(-)
 rename systemd/{rpcbind.socket => rpcbind.socket.in} (88%)

diff --git a/configure.ac b/configure.ac
index c2069a2b3b0e..573e4fdf3a3e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -50,6 +50,17 @@ AC_SUBST([nss_modules], [$with_nss_modules])
 
 PKG_CHECK_MODULES([TIRPC], [libtirpc])
 
+CPPFLAGS=$TIRPC_CFLAGS
+AC_MSG_CHECKING([for abstract socket support in libtirpc])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+#include <rpc/rpc.h>
+],[
+char *path = _PATH_RPCBINDSOCK_ABSTRACT;
+])], [have_abstract=yes], [have_abstract=no])
+CPPFLAGS=
+AC_MSG_RESULT([$have_abstract])
+AM_CONDITIONAL(ABSTRACT, [ test "x$have_abstract" = "xyes" ])
+
 PKG_PROG_PKG_CONFIG
 AC_ARG_WITH([systemdsystemunitdir],
   AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
@@ -76,4 +87,4 @@ AC_CHECK_HEADERS([nss.h])
 AC_SUBST([_sbindir])
 AC_CONFIG_COMMANDS_PRE([eval eval _sbindir=$sbindir])
 
-AC_OUTPUT([Makefile systemd/rpcbind.service])
+AC_OUTPUT([Makefile systemd/rpcbind.service systemd/rpcbind.socket])
diff --git a/systemd/rpcbind.socket b/systemd/rpcbind.socket.in
similarity index 88%
rename from systemd/rpcbind.socket
rename to systemd/rpcbind.socket.in
index 3b1a93694c21..5dd09a143e16 100644
--- a/systemd/rpcbind.socket
+++ b/systemd/rpcbind.socket.in
@@ -6,6 +6,7 @@ Before=rpcbind.target
 
 [Socket]
 ListenStream=/run/rpcbind.sock
+@ABSTRACT_TRUE@ListenStream=@/run/rpcbind.sock
 
 # RPC netconfig can't handle ipv6/ipv4 dual sockets
 BindIPv6Only=ipv6-only
-- 
2.43.0