diff options
Diffstat (limited to 'kms/server/kms_server.c')
-rw-r--r-- | kms/server/kms_server.c | 138 |
1 files changed, 69 insertions, 69 deletions
diff --git a/kms/server/kms_server.c b/kms/server/kms_server.c index e671207..b4f3378 100644 --- a/kms/server/kms_server.c +++ b/kms/server/kms_server.c @@ -418,80 +418,80 @@ static double clock_get_monotonic_seconds(void) { return (double)ts.tv_sec + (double)ts.tv_nsec * 0.000000001; } -static bool readlink_realpath(const char *filepath, char *buffer) { - char symlinked_path[PATH_MAX]; - ssize_t bytes_written = readlink(filepath, symlinked_path, sizeof(symlinked_path) - 1); - if(bytes_written == -1 && errno == EINVAL) { - /* Not a symlink */ - snprintf(symlinked_path, sizeof(symlinked_path), "%s", filepath); - } else if(bytes_written == -1) { - return false; - } else { - symlinked_path[bytes_written] = '\0'; - } - - if(!realpath(symlinked_path, buffer)) - return false; - - return true; -} - -static void file_get_directory(char *filepath) { - char *end = strrchr(filepath, '/'); - if(end == NULL) - filepath[0] = '\0'; - else - *end = '\0'; -} - -static bool string_ends_with(const char *str, const char *ends_with) { - const int len = strlen(str); - const int ends_with_len = strlen(ends_with); - return len >= ends_with_len && memcmp(str + len - ends_with_len, ends_with, ends_with_len) == 0; -} +// static bool readlink_realpath(const char *filepath, char *buffer) { +// char symlinked_path[PATH_MAX]; +// ssize_t bytes_written = readlink(filepath, symlinked_path, sizeof(symlinked_path) - 1); +// if(bytes_written == -1 && errno == EINVAL) { +// /* Not a symlink */ +// snprintf(symlinked_path, sizeof(symlinked_path), "%s", filepath); +// } else if(bytes_written == -1) { +// return false; +// } else { +// symlinked_path[bytes_written] = '\0'; +// } + +// if(!realpath(symlinked_path, buffer)) +// return false; + +// return true; +// } + +// static void file_get_directory(char *filepath) { +// char *end = strrchr(filepath, '/'); +// if(end == NULL) +// filepath[0] = '\0'; +// else +// *end = '\0'; +// } + +// static bool string_ends_with(const char *str, const char *ends_with) { +// const int len = strlen(str); +// const int ends_with_len = strlen(ends_with); +// return len >= ends_with_len && memcmp(str + len - ends_with_len, ends_with, ends_with_len) == 0; +// } // This is not foolproof, but the assumption is that gsr-kms-server and gpu-screen-recorder are installed in the same directory // in a location that only the root user can write to (usually /usr/bin or /usr/local/bin) and if the client runs from that location // and is called gpu-screen-recorder then gsr-kms-server can only be used by a malicious program if the malicious program // had root access, to modify that program install directory. -static bool is_remote_peer_program_gpu_screen_recorder(int socket_fd) { - // TODO: Use SO_PEERPIDFD on kernel >= 6.5 to avoid a race condition in the /proc/<pid> check - struct ucred cred; - socklen_t ucred_len = sizeof(cred); - if(getsockopt(socket_fd, SOL_SOCKET, SO_PEERCRED, &cred, &ucred_len) == -1) { - fprintf(stderr, "kms server error: failed to get peer credentials, error: %s\n", strerror(errno)); - return false; - } - - char self_directory[PATH_MAX]; - if(!readlink_realpath("/proc/self/exe", self_directory)) { - fprintf(stderr, "kms server error: failed to resolve /proc/self/exe\n"); - return false; - } - file_get_directory(self_directory); - - char peer_directory[PATH_MAX]; - char peer_exe_path[PATH_MAX]; - snprintf(peer_exe_path, sizeof(peer_exe_path), "/proc/%d/exe", (int)cred.pid); - if(!readlink_realpath(peer_exe_path, peer_directory)) { - fprintf(stderr, "kms server error: failed to resolve /proc/self/exe\n"); - return false; - } - - if(!string_ends_with(peer_directory, "/gpu-screen-recorder")) { - fprintf(stderr, "kms server error: only gpu-screen-recorder can use gsr-kms-server. client program location is %s\n", peer_directory); - return false; - } - - file_get_directory(peer_directory); - - if(strcmp(self_directory, peer_directory) != 0) { - fprintf(stderr, "kms server error: the client program is in directory %s but only programs in %s can run gsr-kms-server\n", peer_directory, self_directory); - return false; - } - - return true; -} +// static bool is_remote_peer_program_gpu_screen_recorder(int socket_fd) { +// // TODO: Use SO_PEERPIDFD on kernel >= 6.5 to avoid a race condition in the /proc/<pid> check +// struct ucred cred; +// socklen_t ucred_len = sizeof(cred); +// if(getsockopt(socket_fd, SOL_SOCKET, SO_PEERCRED, &cred, &ucred_len) == -1) { +// fprintf(stderr, "kms server error: failed to get peer credentials, error: %s\n", strerror(errno)); +// return false; +// } + +// char self_directory[PATH_MAX]; +// if(!readlink_realpath("/proc/self/exe", self_directory)) { +// fprintf(stderr, "kms server error: failed to resolve /proc/self/exe\n"); +// return false; +// } +// file_get_directory(self_directory); + +// char peer_directory[PATH_MAX]; +// char peer_exe_path[PATH_MAX]; +// snprintf(peer_exe_path, sizeof(peer_exe_path), "/proc/%d/exe", (int)cred.pid); +// if(!readlink_realpath(peer_exe_path, peer_directory)) { +// fprintf(stderr, "kms server error: failed to resolve /proc/self/exe\n"); +// return false; +// } + +// if(!string_ends_with(peer_directory, "/gpu-screen-recorder")) { +// fprintf(stderr, "kms server error: only gpu-screen-recorder can use gsr-kms-server. client program location is %s\n", peer_directory); +// return false; +// } + +// file_get_directory(peer_directory); + +// if(strcmp(self_directory, peer_directory) != 0) { +// fprintf(stderr, "kms server error: the client program is in directory %s but only programs in %s can run gsr-kms-server\n", peer_directory, self_directory); +// return false; +// } + +// return true; +// } int main(int argc, char **argv) { int res = 0; |