aboutsummaryrefslogtreecommitdiff
path: root/kms/server/kms_server.c
diff options
context:
space:
mode:
authordec05eba <dec05eba@protonmail.com>2024-10-06 22:26:47 +0200
committerdec05eba <dec05eba@protonmail.com>2024-10-06 22:26:47 +0200
commit28ba2e8f3eeee6bd81e5af431d79a612f85e11bf (patch)
tree88aac71c60a641a08336c8b0ecef735bf53a16b2 /kms/server/kms_server.c
parent29a21ffff0c1447284957ed3b12a73e12bcdc3fb (diff)
gsr-kms-server 'security': only allow gpu-screen-recorder to get framebuffer
Diffstat (limited to 'kms/server/kms_server.c')
-rw-r--r--kms/server/kms_server.c92
1 files changed, 84 insertions, 8 deletions
diff --git a/kms/server/kms_server.c b/kms/server/kms_server.c
index c6460ad..53770b4 100644
--- a/kms/server/kms_server.c
+++ b/kms/server/kms_server.c
@@ -1,3 +1,7 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+
#include "../kms_shared.h"
#include <stdio.h>
@@ -6,6 +10,7 @@
#include <stdlib.h>
#include <unistd.h>
+#include <limits.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/un.h>
@@ -413,13 +418,79 @@ static double clock_get_monotonic_seconds(void) {
return (double)ts.tv_sec + (double)ts.tv_nsec * 0.000000001;
}
-static void string_copy(char *dst, const char *src, int len) {
- int src_len = strlen(src);
- int min_len = src_len;
- if(len - 1 < min_len)
- min_len = len - 1;
- memcpy(dst, src, min_len);
- dst[min_len] = '\0';
+static bool readlink_realpath(const char *filepath, char *buffer) {
+ char symlinked_path[PATH_MAX];
+ ssize_t bytes_written = readlink(filepath, symlinked_path, sizeof(symlinked_path) - 1);
+ if(bytes_written == -1 && errno == EINVAL) {
+ /* Not a symlink */
+ snprintf(symlinked_path, sizeof(symlinked_path), "%s", filepath);
+ } else if(bytes_written == -1) {
+ return false;
+ } else {
+ symlinked_path[bytes_written] = '\0';
+ }
+
+ if(!realpath(symlinked_path, buffer))
+ return false;
+
+ return true;
+}
+
+static void file_get_directory(char *filepath) {
+ char *end = strrchr(filepath, '/');
+ if(end == NULL)
+ filepath[0] = '\0';
+ else
+ *end = '\0';
+}
+
+static bool string_ends_with(const char *str, const char *ends_with) {
+ const int len = strlen(str);
+ const int ends_with_len = strlen(ends_with);
+ return len >= ends_with_len && memcmp(str + len - ends_with_len, ends_with, ends_with_len) == 0;
+}
+
+// This is not foolproof, but the assumption is that gsr-kms-server and gpu-screen-recorder are installed in the same directory
+// in a location that only the root user can write to (usually /usr/bin or /usr/local/bin) and if the client runs from that location
+// and is called gpu-screen-recorder then gsr-kms-server can only be used by a malicious program if the malicious program
+// had root access, to modify that program install directory.
+static bool is_remote_peer_program_gpu_screen_recorder(int socket_fd) {
+ // TODO: Use SO_PEERPIDFD on kernel >= 6.5 to avoid a race condition in the /proc/<pid> check
+ struct ucred cred;
+ socklen_t ucred_len = sizeof(cred);
+ if(getsockopt(socket_fd, SOL_SOCKET, SO_PEERCRED, &cred, &ucred_len) == -1) {
+ fprintf(stderr, "kms server error: failed to get peer credentials, error: %s\n", strerror(errno));
+ return false;
+ }
+
+ char self_directory[PATH_MAX];
+ if(!readlink_realpath("/proc/self/exe", self_directory)) {
+ fprintf(stderr, "kms server error: failed to resolve /proc/self/exe\n");
+ return false;
+ }
+ file_get_directory(self_directory);
+
+ char peer_directory[PATH_MAX];
+ char peer_exe_path[PATH_MAX];
+ snprintf(peer_exe_path, sizeof(peer_exe_path), "/proc/%d/exe", (int)cred.pid);
+ if(!readlink_realpath(peer_exe_path, peer_directory)) {
+ fprintf(stderr, "kms server error: failed to resolve /proc/self/exe\n");
+ return false;
+ }
+
+ if(!string_ends_with(peer_directory, "/gpu-screen-recorder")) {
+ fprintf(stderr, "kms server error: only gpu-screen-recorder can use gsr-kms-server. client program location is %s\n", peer_directory);
+ return false;
+ }
+
+ file_get_directory(peer_directory);
+
+ if(strcmp(self_directory, peer_directory) != 0) {
+ fprintf(stderr, "kms server error: the client program is in directory %s but only programs in %s can run gsr-kms-server\n", peer_directory, self_directory);
+ return false;
+ }
+
+ return true;
}
int main(int argc, char **argv) {
@@ -478,7 +549,7 @@ int main(int argc, char **argv) {
while(clock_get_monotonic_seconds() - start_time < connect_timeout_sec) {
struct sockaddr_un remote_addr = {0};
remote_addr.sun_family = AF_UNIX;
- string_copy(remote_addr.sun_path, domain_socket_path, sizeof(remote_addr.sun_path));
+ snprintf(remote_addr.sun_path, sizeof(remote_addr.sun_path), "%s", domain_socket_path);
// TODO: Check if parent disconnected
if(connect(socket_fd, (struct sockaddr*)&remote_addr, sizeof(remote_addr.sun_family) + strlen(remote_addr.sun_path)) == -1) {
if(errno == ECONNREFUSED || errno == ENOENT) {
@@ -505,6 +576,11 @@ int main(int argc, char **argv) {
goto done;
}
+ if(!is_remote_peer_program_gpu_screen_recorder(socket_fd)) {
+ res = 3;
+ goto done;
+ }
+
for(;;) {
gsr_kms_request request;
request.version = 0;