Launch gsr files in flatpak /var/... path, to make it secure

author: dec05eba <dec05eba@protonmail.com> 2025-02-22 17:14:47 +0100
committer: dec05eba <dec05eba@protonmail.com> 2025-02-22 17:14:47 +0100
commit: 7a95e47aac884ea80a5f1dca2c62a16b3144cd39 (patch)
tree: 67d28ab8a1c719992dfb45b1da896521f7789307
parent: 95ce901489df683e9d1a4e6e210d3e2f97931063 (diff)
1 files changed, 20 insertions, 59 deletions
diff --git a/main.c b/main.c
index 2114ca1..2025dfb 100644
--- a/main.c
+++ b/main.c
@@ -12,7 +12,6 @@
 #include <sys/capability.h>
 
 #define KMS_SERVER_PROXY_FILEPATH "/var/lib/flatpak/app/com.dec05eba.gpu_screen_recorder/current/active/files/bin/kms-server-proxy"
-#define GSR_KMS_SERVER_FILEPATH "/var/lib/flatpak/app/com.dec05eba.gpu_screen_recorder/current/active/files/bin/gsr-kms-server"
 #define GSR_GLOBAL_HOTKEYS_FILEPATH "/var/lib/flatpak/app/com.dec05eba.gpu_screen_recorder/current/active/files/bin/gsr-global-hotkeys"
 
 static bool readlink_realpath(const char *filepath, char *buffer) {
@@ -73,16 +72,9 @@ static bool create_local_kms_server_proxy_directory(const char *home) {
     for(size_t i = 0; paths[i]; ++i) {
         const char *path_part = paths[i];
         snprintf(path, sizeof(path), "%s/%s", home, path_part);
-        err = mkdir(path, 0755);
-        if(err == -1) {
-            if(errno == EEXIST) {
-                err = chmod(path, 0755);
-                if(err == -1)
-                    return false;
-            } else {
-                return false;
-            }
-        }
+        err = mkdir(path, S_IRWXU);
+        if(err == -1 && errno != EEXIST)
+            return false;
     }
 
     return true;
@@ -131,23 +123,16 @@ static void usage(void) {
     exit(1);
 }
 
-/* |gsr_kms_server_local_filepath| and |gsr_global_hotkeys_local_filepath| can be NULL */
-static bool set_gsr_files_set_permissions_and_capabilities(const char *kms_server_proxy_local_filepath, const char *gsr_kms_server_local_filepath, const char *gsr_global_hotkeys_local_filepath) {
-    const char *filepaths[3] = {kms_server_proxy_local_filepath, gsr_kms_server_local_filepath, gsr_global_hotkeys_local_filepath};
-    for(int i = 0; i < 3; ++i) {
-        if(!filepaths[i])
-            continue;
-
-        /* owner: read/write/execute, group: read/execute, public: read/execute */
-        if(chmod(filepaths[i], 0755) != 0) {
-            fprintf(stderr, "Error: failed to set %s permissions\n", filepaths[i]);
-            return false;
-        }
+static bool set_gsr_files_set_permissions_and_capabilities(const char *kms_server_proxy_local_filepath) {
+    /* owner: read/write/execute, group: read/execute, public: read/execute */
+    if(chmod(kms_server_proxy_local_filepath, 0755) != 0) {
+        fprintf(stderr, "Error: failed to set %s permissions\n", kms_server_proxy_local_filepath);
+        return false;
+    }
 
-        if(chown(filepaths[i], 0, 0) != 0) {
-            fprintf(stderr, "Error: failed to set %s ownership\n", filepaths[i]);
-            return false;
-        }
+    if(chown(kms_server_proxy_local_filepath, 0, 0) != 0) {
+        fprintf(stderr, "Error: failed to set %s ownership\n", kms_server_proxy_local_filepath);
+        return false;
     }
 
     if(!file_set_capabilities(kms_server_proxy_local_filepath, (const cap_value_t[]){ CAP_SYS_ADMIN, CAP_SETFCAP, CAP_SETUID }, 3)) {
@@ -194,7 +179,7 @@ static bool remove_local_gsr_files(const char *user_homepath) {
 }
 
 /* |gsr_global_hotkeys_local_filepath| can be NULL */
-static bool setup_local_gsr_files(const char *user_homepath, const char *kms_server_proxy_local_filepath, const char *gsr_kms_server_local_filepath, const char *gsr_global_hotkeys_local_filepath) {
+static bool setup_local_gsr_files(const char *user_homepath, const char *kms_server_proxy_local_filepath) {
     if(!create_local_kms_server_proxy_directory(user_homepath)) {
         fprintf(stderr, "Error: failed to create ~/.local/share/gpu-screen-recorder directory\n");
         return false;
@@ -205,18 +190,6 @@ static bool setup_local_gsr_files(const char *user_homepath, const char *kms_ser
         return false;
     }
 
-    if(!copy_file_atomic(GSR_KMS_SERVER_FILEPATH, gsr_kms_server_local_filepath)) {
-        fprintf(stderr, "Error: failed to copy gsr-kms-server to %s\n", gsr_kms_server_local_filepath);
-        return false;
-    }
-
-    if(gsr_global_hotkeys_local_filepath) {
-        if(!copy_file_atomic(GSR_GLOBAL_HOTKEYS_FILEPATH, gsr_global_hotkeys_local_filepath)) {
-            fprintf(stderr, "Error: failed to copy gsr-global-hotkeys to %s\n", gsr_global_hotkeys_local_filepath);
-            return false;
-        }
-    }
-
     return true;
 }
 
@@ -237,20 +210,14 @@ static int setup_gsr_ui(const char *user_homepath) {
     /* Update kms-server-proxy-N to kms-server-proxy-N+1 on update (update that needs to run before this program launches itself) */
     snprintf(kms_server_proxy_local_filepath, sizeof(kms_server_proxy_local_filepath), "%s/.local/share/gpu-screen-recorder/kms-server-proxy-2", user_homepath);
 
-    char gsr_kms_server_local_filepath[PATH_MAX];
-    snprintf(gsr_kms_server_local_filepath, sizeof(gsr_kms_server_local_filepath), "%s/.local/share/gpu-screen-recorder/gsr-kms-server", user_homepath);
-
-    char gsr_global_hotkeys_local_filepath[PATH_MAX];
-    snprintf(gsr_global_hotkeys_local_filepath, sizeof(gsr_global_hotkeys_local_filepath), "%s/.local/share/gpu-screen-recorder/gsr-global-hotkeys", user_homepath);
-
     if(geteuid() == 0) { /* is current user root? */
-        if(!set_gsr_files_set_permissions_and_capabilities(kms_server_proxy_local_filepath, gsr_kms_server_local_filepath, gsr_global_hotkeys_local_filepath))
+        if(!set_gsr_files_set_permissions_and_capabilities(kms_server_proxy_local_filepath))
             return 1;
 
         return 0;
     } else {
         remove_local_gsr_files(user_homepath);
-        if(!setup_local_gsr_files(user_homepath, kms_server_proxy_local_filepath, gsr_kms_server_local_filepath, gsr_global_hotkeys_local_filepath))
+        if(!setup_local_gsr_files(user_homepath, kms_server_proxy_local_filepath))
             return 1;
 
         const char *args[] = { "pkexec", kms_server_proxy_local_filepath, "setup-gsr-ui", user_homepath, NULL };
@@ -269,9 +236,6 @@ static int launch_gsr_kms_server(const char *initial_socket_path, const char *ca
     /* Update kms-server-proxy-N to kms-server-proxy-N+1 on update (update that needs to run before this program launches itself) */
     snprintf(kms_server_proxy_local_filepath, sizeof(kms_server_proxy_local_filepath), "%s/.local/share/gpu-screen-recorder/kms-server-proxy-2", user_homepath);
 
-    char gsr_kms_server_local_filepath[PATH_MAX];
-    snprintf(gsr_kms_server_local_filepath, sizeof(gsr_kms_server_local_filepath), "%s/.local/share/gpu-screen-recorder/gsr-kms-server", user_homepath);
-
     if(file_has_sys_admin_capability(kms_server_proxy_local_filepath)) {
         /* Need to resolve kms_server_proxy_local_filepath because /home can be a symlink to another location */
         char kms_server_proxy_local_filepath_full[PATH_MAX];
@@ -289,17 +253,17 @@ static int launch_gsr_kms_server(const char *initial_socket_path, const char *ca
             return execv(args[0], (char *const*)args);
         }
 
-        const char *args[] = { "pkexec", gsr_kms_server_local_filepath, initial_socket_path, card_path, NULL };
+        const char *args[] = { "pkexec", GSR_GLOBAL_HOTKEYS_FILEPATH, initial_socket_path, card_path, NULL };
         return execvp(args[0], (char *const*)args);
     } else if(geteuid() == 0) { /* is current user root? */
-        if(!set_gsr_files_set_permissions_and_capabilities(kms_server_proxy_local_filepath, gsr_kms_server_local_filepath, NULL))
+        if(!set_gsr_files_set_permissions_and_capabilities(kms_server_proxy_local_filepath))
             return 1;
 
-        const char *args[] = { gsr_kms_server_local_filepath, initial_socket_path, card_path, NULL };
+        const char *args[] = { GSR_GLOBAL_HOTKEYS_FILEPATH, initial_socket_path, card_path, NULL };
         return execv(args[0], (char *const*)args);
     } else {
         remove_local_gsr_files(user_homepath);
-        if(!setup_local_gsr_files(user_homepath, kms_server_proxy_local_filepath, gsr_kms_server_local_filepath, NULL))
+        if(!setup_local_gsr_files(user_homepath, kms_server_proxy_local_filepath))
             return 1;
 
         const char *args[] = { "pkexec", kms_server_proxy_local_filepath, initial_socket_path, card_path, user_homepath, NULL };
@@ -320,9 +284,6 @@ static int launch_gsr_global_hotkeys(char **argv) {
     /* Update kms-server-proxy-N to kms-server-proxy-N+1 on update (update that needs to run before this program launches itself) */
     snprintf(kms_server_proxy_local_filepath, sizeof(kms_server_proxy_local_filepath), "%s/.local/share/gpu-screen-recorder/kms-server-proxy-2", user_homepath);
 
-    char gsr_global_hotkeys_local_filepath[PATH_MAX];
-    snprintf(gsr_global_hotkeys_local_filepath, sizeof(gsr_global_hotkeys_local_filepath), "%s/.local/share/gpu-screen-recorder/gsr-global-hotkeys", user_homepath);
-
     if(!file_has_sys_admin_capability(kms_server_proxy_local_filepath)) {
         fprintf(stderr, "Error: kms-server-proxy is missing cap sys admin capability\n");
         return 1;
@@ -349,7 +310,7 @@ static int launch_gsr_global_hotkeys(char **argv) {
         return 1;
     }
 
-    argv[2] = gsr_global_hotkeys_local_filepath;
+    argv[2] = GSR_GLOBAL_HOTKEYS_FILEPATH;
     const int result = execv(argv[2], argv + 2);
     perror(argv[2]);
     return result;
author	dec05eba <dec05eba@protonmail.com>	2025-02-22 17:14:47 +0100
committer	dec05eba <dec05eba@protonmail.com>	2025-02-22 17:14:47 +0100
commit	7a95e47aac884ea80a5f1dca2c62a16b3144cd39 (patch)
tree	67d28ab8a1c719992dfb45b1da896521f7789307
parent	95ce901489df683e9d1a4e6e210d3e2f97931063 (diff)