gitea.service needs AF_UNIX addressFamily in order to connect to socket based database

[Ouack23]

Hello, I have a setup running with:

• forgejo 10.0.0
• mariadb 10.11.6
• Debian12 inside LXC (Proxmox)

My forgejo database configuration is:

[database]
DB_TYPE = mysql
HOST = /var/run/mysqld/mysqld.sock

After applying #184 (using l3d.gitea version v.3.6.0), I got the following error message:

2025/01/26 19:18:06 routers/common/db.go:36:InitDBEngine() [E] ORM engine initialization attempt #6/10 failed. Error: dial unix /var/run/mysqld/mysqld.sock: socket: address family not supported by protocol

which led to the service crashing and restarting every ~20 seconds or so:

Jan 26 19:17:50 git systemd[1]: Started gitea.service - forgejo git server.
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:242:runWeb() [I] Starting Forgejo on PID: 14199
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:111:showWebStartupMessage() [I] Forgejo version: 10.0.0+gitea-1.22.0 built with GNU Make 4.4.1, go1.23.4 : bindata, timetzdata, sqlite, sqlite_unlock_notify
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:112:showWebStartupMessage() [I] * RunMode: prod
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:113:showWebStartupMessage() [I] * AppPath: /usr/local/bin/forgejo
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:114:showWebStartupMessage() [I] * WorkPath: /mnt/data/gitea
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:115:showWebStartupMessage() [I] * CustomPath: /mnt/data/gitea/custom/
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:116:showWebStartupMessage() [I] * ConfigFile: /etc/gitea/gitea.ini
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 cmd/web.go:117:showWebStartupMessage() [I] Prepare to run web server
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 modules/git/git.go:196:InitFull() [W] sha256 hash support is disabled - requires Git >= 2.42
Jan 26 19:17:51 git forgejo[14199]: 2025/01/26 19:17:51 routers/init.go:114:InitWebInstalled() [I] Git version: 2.39.5, Wire Protocol Version 2 Enabled (home: /mnt/data/gitea/data/home)
Jan 26 19:18:18 git systemd[1]: Reloading.
Jan 26 19:18:18 git systemd[1]: gitea.service: Main process exited, code=exited, status=1/FAILURE
Jan 26 19:18:18 git systemd[1]: gitea.service: Failed with result 'exit-code'.

My setup needs the following configuration in gitea.service in order to run:

 # PrivateNetwork=yes
-RestrictAddressFamilies=AF_INET AF_INET6
-RestrictAddressFamilies=~AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

I wonder why @juju4 chose to disable AF_UNIX ? It is recommended to use sockets instead of tcp ports when connecting to network resources on the same host, cf. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RestrictAddressFamilies=

RestrictAddressFamilies=[¶](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RestrictAddressFamilies=)

    Restricts the set of socket address families accessible to the processes of this unit. Takes "none", or a space-separated list of address family names to allow-list, such as AF_UNIX, AF_INET or AF_INET6. When "none" is specified, then all address families will be denied. When prefixed with "~" the listed address families will be applied as deny list, otherwise as allow list. Note that this restricts access to the [socket(2)](https://man7.org/linux/man-pages/man2/socket.2.html) system call only. Sockets passed into the process by other means (for example, by using socket activation with socket units, see [systemd.socket(5)](https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html#)) are unaffected. Also, sockets created with socketpair() (which creates connected AF_UNIX sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le, ppc, ppc-le, ppc64, ppc64-le and is ignored (but works correctly on other ABIs, including x86-64). Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is recommended to combine this option with SystemCallArchitectures=native or similar. By default, no restrictions apply, all address families are accessible to processes. If assigned the empty string, any previous address family restriction changes are undone. This setting does not affect commands prefixed with "+".

    Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive network protocols, such as AF_PACKET. Note that in most cases, the local AF_UNIX address family should be included in the configured allow list as it is frequently used for local communication, including for [syslog(2)](https://man7.org/linux/man-pages/man2/syslog.2.html) logging.

    Added in version 211.

→ I think we should allow AF_UNIX. I can make a PR for that when we agree. I'm patching the role manually in the mean time.

Thank you for your work :)
Regards

[juju4]

Likely because role default config is sqlite for which this does not matter
and default role settings is tcp port too
https://github.com/roles-ansible/ansible_role_gitea/blob/main/defaults/main.yml#L135
https://github.com/roles-ansible/ansible_role_gitea/blob/main/templates/gitea.ini.j2#L125

But I agree it is fine to allow AF_UNIX
probably should add in block line AF_NETLINK AF_PACKET unless there is a reason not too but less likely.