Require AF_UNIX sockets from the gofer

host.endpoint already has the check, but it is missing from
host.ConnectedEndpoint.

PiperOrigin-RevId: 214962762
Change-Id: I88bb13a5c5871775e4e7bf2608433df8a3d348e6

1 files changed, 17 insertions, 5 deletions

diff --git a/pkg/sentry/fs/host/socket.go b/pkg/sentry/fs/host/socket.go
index 4ace71c3e..e11772946 100644
--- a/pkg/sentry/fs/host/socket.go
+++ b/pkg/sentry/fs/host/socket.go
@@ -35,6 +35,8 @@ import (
 
 // endpoint encapsulates the state needed to represent a host Unix socket.
 //
+// TODO: Remove/merge with ConnectedEndpoint.
+//
 // +stateify savable
 type endpoint struct {
 	queue waiter.Queue `state:"zerovalue"`
@@ -288,13 +290,23 @@ func recvMsg(fd int, data [][]byte, numRights uintptr, peek bool, addr *tcpip.Fu
 	return rl, ml, control.New(nil, nil, newSCMRights(fds)), nil
 }
 
-// NewConnectedEndpoint creates a new ConnectedEndpoint backed by
-// a host FD that will pretend to be bound at a given sentry path.
+// NewConnectedEndpoint creates a new ConnectedEndpoint backed by a host FD
+// that will pretend to be bound at a given sentry path.
 //
-// The caller is responsible for calling Init(). Additionaly, Release needs
-// to be called twice because host.ConnectedEndpoint is both a
-// unix.Receiver and unix.ConnectedEndpoint.
+// The caller is responsible for calling Init(). Additionaly, Release needs to
+// be called twice because host.ConnectedEndpoint is both a unix.Receiver and
+// unix.ConnectedEndpoint.
 func NewConnectedEndpoint(file *fd.FD, queue *waiter.Queue, path string) (*ConnectedEndpoint, *tcpip.Error) {
+	family, err := syscall.GetsockoptInt(file.FD(), syscall.SOL_SOCKET, syscall.SO_DOMAIN)
+	if err != nil {
+		return nil, translateError(err)
+	}
+
+	if family != syscall.AF_UNIX {
+		// We only allow Unix sockets.
+		return nil, tcpip.ErrInvalidEndpointState
+	}
+
 	e := &ConnectedEndpoint{path: path, queue: queue, file: file}
 
 	// AtomicRefCounters start off with a single reference. We need two.