@@ -50,6 +50,17 @@ AC_SUBST([nss_modules], [$with_nss_modules])
PKG_CHECK_MODULES([TIRPC], [libtirpc])
+CPPFLAGS=$TIRPC_CFLAGS
+AC_MSG_CHECKING([for abstract socket support in libtirpc])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+#include <rpc/rpc.h>
+],[
+char *path = _PATH_RPCBINDSOCK_ABSTRACT;
+])], [have_abstract=yes], [have_abstract=no])
+CPPFLAGS=
+AC_MSG_RESULT([$have_abstract])
+AM_CONDITIONAL(ABSTRACT, [ test "x$have_abstract" = "xyes" ])
+
PKG_PROG_PKG_CONFIG
AC_ARG_WITH([systemdsystemunitdir],
AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
@@ -76,4 +87,4 @@ AC_CHECK_HEADERS([nss.h])
AC_SUBST([_sbindir])
AC_CONFIG_COMMANDS_PRE([eval eval _sbindir=$sbindir])
-AC_OUTPUT([Makefile systemd/rpcbind.service])
+AC_OUTPUT([Makefile systemd/rpcbind.service systemd/rpcbind.socket])
deleted file mode 100644
@@ -1,18 +0,0 @@
-[Unit]
-Description=RPCbind Server Activation Socket
-DefaultDependencies=no
-Wants=rpcbind.target
-Before=rpcbind.target
-
-[Socket]
-ListenStream=/run/rpcbind.sock
-
-# RPC netconfig can't handle ipv6/ipv4 dual sockets
-BindIPv6Only=ipv6-only
-ListenStream=0.0.0.0:111
-ListenDatagram=0.0.0.0:111
-ListenStream=[::]:111
-ListenDatagram=[::]:111
-
-[Install]
-WantedBy=sockets.target
new file mode 100644
@@ -0,0 +1,19 @@
+[Unit]
+Description=RPCbind Server Activation Socket
+DefaultDependencies=no
+Wants=rpcbind.target
+Before=rpcbind.target
+
+[Socket]
+ListenStream=/run/rpcbind.sock
+@ABSTRACT_TRUE@ListenStream=@/run/rpcbind.sock
+
+# RPC netconfig can't handle ipv6/ipv4 dual sockets
+BindIPv6Only=ipv6-only
+ListenStream=0.0.0.0:111
+ListenDatagram=0.0.0.0:111
+ListenStream=[::]:111
+ListenDatagram=[::]:111
+
+[Install]
+WantedBy=sockets.target
As RPC is primarily a network service it is best, on Linux, to use network namespaces to isolate it. However contacting rpcbind via an AF_UNIX socket allows escape from the network namespace. If clients could use an abstract address, that would ensure clients contact an rpcbind in the same network namespace. systemd can pass in a listening abstract socket by providing an '@' prefix. However with libtirpc 1.3.3 or earlier attempting this will fail as the library mistakenly determines that the socket is not bound. This generates unsightly error messages. So it is best not to request the abstract address when it is not likely to work. A patch to fix this also proposes adding a define for _PATH_RPCBINDSOCK_ABSTRACT to the header files. We can check for this and only include the new ListenStream when that define is present. Signed-off-by: NeilBrown <neilb@suse.de> --- configure.ac | 13 ++++++++++++- systemd/rpcbind.socket | 18 ------------------ systemd/rpcbind.socket.in | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 19 deletions(-) delete mode 100644 systemd/rpcbind.socket create mode 100644 systemd/rpcbind.socket.in