From f4b3e90141cdbfbc4f9071953080bb2566b50024 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Fri, 2 Jun 2017 15:31:43 +0200
Subject: [PATCH] conmon: Make console socket mode 0700

It doesn't make sense for other users to connect to this, so
lets make sure of this.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
---
 conmon/conmon.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/conmon/conmon.c b/conmon/conmon.c
index d0fd9a90..733292d1 100644
--- a/conmon/conmon.c
+++ b/conmon/conmon.c
@@ -14,6 +14,7 @@
 #include <sys/un.h>
 #include <sys/wait.h>
 #include <sys/eventfd.h>
+#include <sys/stat.h>
 #include <syslog.h>
 #include <unistd.h>
 
@@ -549,6 +550,8 @@ int main(int argc, char *argv[])
 		csfd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
 		if (csfd < 0)
 			pexit("Failed to create console-socket");
+                if (fchmod(csfd, 0700))
+			pexit("Failed to change console-socket permissions");
 		/* XXX: This should be handled with a rename(2). */
 		if (unlink(csname) < 0)
 			pexit("Failed to unlink temporary ranom path");