in src/enclave_proc/connection_listener.rs [271:305]
fn enable_credentials_passing(&self, listener: &UnixListener) {
let val: libc::c_int = 1;
let rc = unsafe {
libc::setsockopt(
listener.as_raw_fd(),
libc::SOL_SOCKET,
libc::SO_PASSCRED,
&val as *const libc::c_int as *const libc::c_void,
std::mem::size_of::<libc::c_int>() as libc::socklen_t,
)
};
if rc < 0 {
warn!(
"Failed to enable credentials passing on socket listener: {}",
io::Error::last_os_error()
);
}
// Since access policy is handled within the enclave process explicitly, we
// allow full access to the socket itself (otherwise other users will not
// be allowed to connect to the socket in the first place).
if let Ok(sock_addr) = listener.local_addr() {
if let Some(sock_path) = sock_addr.as_pathname() {
let perms = Permissions::from_mode(0o766);
if let Err(e) = set_permissions(sock_path, perms) {
warn!("Failed to update socket permissions: {}", e);
}
} else {
warn!("Failed to get the listener's socket path.");
}
} else {
warn!("Failed to get the socket listener's local address.")
}
}