From 13ef5524888faf47936ce54a0164dac2689ff7b5 Mon Sep 17 00:00:00 2001
From: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
Date: Tue, 23 Apr 2024 23:42:47 +0200
Subject: [PATCH] MINOR: sock: add EPERM case in sock_handle_system_err

setns() may return EPERM if thread, that tries to move into different
namespace, do not have CAP_SYS_ADMIN capability in its Effective set.
So, extending sock_handle_system_err() with this error allows to send
appropriate log message and set SF_ERR_PRXCOND (SC termination
flag in log) as stream termination error code. This error code can be
simply checked with SF_ERR_MASK at protocol layer.
---
 src/sock.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/sock.c b/src/sock.c
index a134505918ca..4f2ba1a761ab 100644
--- a/src/sock.c
+++ b/src/sock.c
@@ -236,6 +236,13 @@ static int sock_handle_system_err(struct connection *conn, struct proxy *be)
 			conn->err_code = CO_ER_NOPROTO;
 			break;
 
+		case EPERM:
+			send_log(be, LOG_EMERG,
+				 "Proxy %s has insufficient permissions to open server socket.\n",
+				 be->id);
+
+			return SF_ERR_PRXCOND;
+
 		default:
 			send_log(be, LOG_EMERG,
 				 "Proxy %s cannot create a server socket: %s\n",