1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
//! Peer-credential check for accepted loaderd control connections (AAASM-3918).
//!
//! The privileged `aa-ebpf-loaderd` control socket is owner-only (`0600`), but a
//! peer-credential check is defence-in-depth: it makes the trust boundary
//! explicit and testable and rejects any connection whose process UID does not
//! match the UID the daemon itself runs as. Because `dispatch` performs no
//! caller authentication of its own, the socket permission was previously the
//! *entire* trust boundary; under a permissive daemon umask there is a window
//! where the `0600` mode is not yet applied (closed separately by the umask-
//! tightened bind), so this UID check closes the residual "another local process
//! connects to the highest-privilege control socket and issues Detach / replaces
//! deny rules" vector.
//!
//! This mirrors the runtime IPC hardening in
//! `aa-runtime/src/ipc/peercred.rs` (AAASM-3579); the helper there is private to
//! that crate, so the minimal policy is replicated here.
//!
//! Portability: the peer UID is read via tokio's `UnixStream::peer_cred`, which
//! is backed by `SO_PEERCRED` on Linux and `getpeereid`/`LOCAL_PEERCRED` on
//! macOS/BSD, so this module compiles and runs on every Unix target.
/// Decide whether a peer connection should be admitted, given the peer UID and
/// the daemon's own effective UID.
///
/// Returns `true` only when the peer UID equals the daemon UID. Kept as a pure
/// function so the policy is unit-testable without opening a real socket.
/// The effective UID of the current (daemon) process.