🔒 [security] Set restricted permissions on socket and runtime directory (#40)

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
2026-04-28 06:21:23 +00:00 · 2026-03-21 21:03:48 +03:00
parent b8baeb6226
commit 6114b9a7f8
2 changed files with 5 additions and 0 deletions
@@ -9,6 +9,7 @@ use pwsp::{
        pipewire::create_virtual_mic,
    },
 };
+use std::os::unix::fs::PermissionsExt;
 use std::{error::Error, fs, time::Duration};
 use tokio::{
    io::{AsyncReadExt, AsyncWriteExt},
@@ -54,6 +55,8 @@ async fn main() -> Result<(), Box<dyn Error>> {
    }

    let listener = UnixListener::bind(&socket_path)?;
+    fs::set_permissions(&socket_path, fs::Permissions::from_mode(0o600))?;
+
    println!(
        "Daemon started. Listening on {}",
        socket_path.to_str().unwrap_or_default()