From 6114b9a7f886c9a7491f08b8f084a5de15035eed Mon Sep 17 00:00:00 2001
From: Tarasov Aleksandr <55220741+arabianq@users.noreply.github.com>
Date: Sat, 21 Mar 2026 21:03:48 +0300
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20[security]=20Set=20restricted=20?=
 =?UTF-8?q?permissions=20on=20socket=20and=20runtime=20directory=20(#40)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 src/bin/daemon.rs   | 3 +++
 src/utils/daemon.rs | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/bin/daemon.rs b/src/bin/daemon.rs
index e546f2e..47bb251 100644
--- a/src/bin/daemon.rs
+++ b/src/bin/daemon.rs
@@ -9,6 +9,7 @@ use pwsp::{
         pipewire::create_virtual_mic,
     },
 };
+use std::os::unix::fs::PermissionsExt;
 use std::{error::Error, fs, time::Duration};
 use tokio::{
     io::{AsyncReadExt, AsyncWriteExt},
@@ -54,6 +55,8 @@ async fn main() -> Result<(), Box<dyn Error>> {
     }
 
     let listener = UnixListener::bind(&socket_path)?;
+    fs::set_permissions(&socket_path, fs::Permissions::from_mode(0o600))?;
+
     println!(
         "Daemon started. Listening on {}",
         socket_path.to_str().unwrap_or_default()
diff --git a/src/utils/daemon.rs b/src/utils/daemon.rs
index 9689109..f2c67a2 100644
--- a/src/utils/daemon.rs
+++ b/src/utils/daemon.rs
@@ -6,6 +6,7 @@ use crate::{
     },
     utils::pipewire::{create_link, get_device},
 };
+use std::os::unix::fs::PermissionsExt;
 use std::path::PathBuf;
 use std::{error::Error, fs};
 use tokio::{
@@ -84,6 +85,7 @@ pub fn create_runtime_dir() -> Result<(), Box<dyn Error>> {
     if !runtime_dir.exists() {
         fs::create_dir_all(&runtime_dir)?;
     }
+    fs::set_permissions(&runtime_dir, fs::Permissions::from_mode(0o700))?;
 
     Ok(())
 }