From c352f16b4a70dbea67902ec1846d3bd2dbb22926 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri, 17 Apr 2026 18:55:43 +1000
Subject: [PATCH] eis: restrict our socket to owner-only

Depending on the umask our socket may be group/world-accessible, let's
not do that because if the current state of the world tells us anything
it is that we can't trust it.

Assisted-by: Claude:claude-opus-4-6
Part-of: <https://gitlab.freedesktop.org/libinput/libei/-/merge_requests/388>
---
 src/libeis-socket.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/libeis-socket.c b/src/libeis-socket.c
index c743836..888c955 100644
--- a/src/libeis-socket.c
+++ b/src/libeis-socket.c
@@ -181,6 +181,10 @@ eis_setup_backend_socket(struct eis *eis, const char *socketpath)
 	if (bind(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
 		return -errno;
 
+	/* Restrict socket to owner-only access regardless of umask */
+	if (fchmod(sockfd, S_IRUSR | S_IWUSR) == -1)
+		return -errno;
+
 	if (listen(sockfd, 2) == -1)
 		return -errno;