Bind broker sessions to Linux SO_PEERCRED and /proc starttime ancestry, fence runtime generations, persist cryptographic single-use cycle tokens, and enforce protected Unix socket/state posture.\n\ncloses #828
2.2 KiB
Lease broker operations
Place the socket and state file in a dedicated directory with mode 0700. Start the packaged daemon with:
python3 "$MOSAIC_HOME/tools/lease-broker/daemon.py" \
--socket /run/user/1000/mosaic-lease/broker.sock \
--state /run/user/1000/mosaic-lease/state.json
The broker refuses an existing parent directory whose mode is not exactly 0700, an existing state file not at 0600, corrupt/incompatible state, or an already-existing socket path. After bind it sets the socket to 0600. It never silently unlinks a pre-existing socket. On normal termination it unlinks only the socket inode it created, so it does not remove a replacement path.
Clients must complete the request boundary before waiting for a reply. After sending the single JSON object and its terminating newline, the client MUST half-close the socket's write side (shutdown(SHUT_WR) in POSIX clients; socket.end() in Node) and only then await the response. Merely calling write() and waiting is invalid: the broker waits for EOF to enforce the exact-one-frame contract and fails closed at its one-second deadline. Do not replace end() with write() in client helpers. A delayed second frame remains malformed and is rejected.
There is no automated recovery workflow in WI-1. After a crash, preserve the protected state file and restart only after verifying that no broker owns the socket. A leftover socket requires an operator to verify the owning service is stopped and remove that exact socket deliberately. Corrupt, oversized, symlinked, or non-regular state fails closed; do not overwrite it. Preserve it for incident review and establish new state only through an explicit operational decision, which invalidates prior sessions and tokens.
Security posture
Directory 0700 plus socket/state 0600 is minimum same-principal hardening: it excludes other UIDs but does not stop the same UID from unlinking and counterfeiting the socket. It therefore does not close T-C same-UID replacement. The stronger deployment runs the broker as a distinct principal behind a protected service boundary whose clients cannot unlink or rebind the socket; that is the T-C-closing option. Server-side branch protection remains the irreducible backstop.