Changeset 93469 in vbox for trunk

Timestamp:

Jan 27, 2022 9:25:39 PM (3 years ago)

Author:

vboxsync

Message:

Additions: Linux: VBoxDRMClient: make IPC socket access configurable via guest property, bugref:10134.

Guest property '/VirtualBox/GuestAdd/DRMIpcRestricted' when set with RDONLYGUEST
flag is used to restrict DRM IPC server socket access to root and users of 'vboxdrmipc'
group. If property is not set or has no RDONLYGUEST flag, access is granted to all users.

VBoxDRMClient subscribes to guest property update notifications and updates server socket
access mode accordingly in runtime. When switching from unrestricted mode to the restricted
one, all established IPC connections will be kept, new connections will require corresponding
access permissions.

Location:

trunk/src/VBox/Additions/x11/VBoxClient

Files:

• Makefile.kmk (modified) (1 diff)
• display-drm.cpp (modified) (8 diffs)

trunk/src/VBox/Additions/x11/VBoxClient/Makefile.kmk

@@ -103 +103 @@
  VBoxClient_SOURCES += \
         hostversion.cpp
+ VBoxDRMClient_DEFS += VBOX_WITH_GUEST_PROPS
 endif
 

trunk/src/VBox/Additions/x11/VBoxClient/display-drm.cpp

@@ -38 +38 @@
  * back to host, so host and guest will have the same screen layout representation.
  *
+ * By default, access to IPC server socket is granted to all users. It can be restricted to
+ * only root and users from group 'vboxdrmipc' if '/VirtualBox/GuestAdd/DRMIpcRestricted' guest
+ * property is set and READ-ONLY for guest. User group 'vboxdrmipc' is created during Guest
+ * Additions installation. If this group is removed (or not found due to any reason) prior to
+ * service start, access to IPC server socket will be granted to root only regardless
+ * if '/VirtualBox/GuestAdd/DRMIpcRestricted' guest property is set or not. If guest property
+ * is set, but is not READ-ONLY for guest, property is ignored and IPC socket access is granted
+ * to all users.
+ *
  * Logging is implemented in a way that errors are always printed out, VBClLogVerbose(1) and
  * VBClLogVerbose(2) are used for debugging purposes. Verbosity level 1 is for messages related
@@ -66 +75 @@
  *
  *
- * The following loack are utilized:
+ * The following locks are utilized:
  *
  * #g_ipcClientConnectionsListCritSect - protects access to list of IPC client connections.
@@ -79 +88 @@
 
 #include <VBox/VBoxGuestLib.h>
+#include <VBox/HostServices/GuestPropertySvc.h>
 
 #include <iprt/getopt.h>
@@ -133 +143 @@
 /** IPC client connections counter. */
 static volatile uint32_t g_cDrmIpcConnections = 0;
+/* A flag which indicates whether access to IPC socket should be restricted.
+ * This flag caches '/VirtualBox/GuestAdd/DRMIpcRestricted' guest property
+ * in order to prevent its retrieving from the host side each time a new IPC
+ * client connects to server. This flag is updated each time when property is
+ * changed on the host side. */
+static volatile bool g_fDrmIpcRestricted;
 
 /** DRM version structure. */
@@ -920 +936 @@
             {
                 /* Authenticate remote peer. */
-                rc = vbDrmIpcAuth(hClientSession);
+                if (ASMAtomicReadBool(&g_fDrmIpcRestricted))
+                    rc = vbDrmIpcAuth(hClientSession);
+
                 if (RT_SUCCESS(rc))
                 {
@@ -970 +988 @@
 }
 
+/**
+ * Grant access to DRM IPC server socket depending on VM configuration.
+ *
+ * If VM has '/VirtualBox/GuestAdd/DRMIpcRestricted' guest property set
+ * and this property is READ-ONLY for the guest side, access will be
+ * granted to root and users from 'vboxdrmipc' group only. If group does
+ * not exists, only root will have access to the socket.  When property is
+ * not set or not READ-ONLY, all users will have access to the socket.
+ *
+ * @param   hIpcServer  IPC server handle.
+ */
+static void vbDrmSetIpcServerAccessPermissions(RTLOCALIPCSERVER hIpcServer)
+{
+    int rc;
+
+    ASMAtomicWriteBool(&g_fDrmIpcRestricted, VbglR3DrmRestrictedIpcAccessIsNeeded());
+
+    if (g_fDrmIpcRestricted)
+    {
+        struct group *pGrp;
+        pGrp = getgrnam(VBOX_DRMIPC_USER_GROUP);
+        if (pGrp)
+        {
+            rc = RTLocalIpcServerGrantGroupAccess(hIpcServer, pGrp->gr_gid);
+            if (RT_SUCCESS(rc))
+                VBClLogInfo("IPC server socket access granted to '" VBOX_DRMIPC_USER_GROUP "' users\n");
+            else
+                VBClLogError("unable to grant IPC server socket access to '" VBOX_DRMIPC_USER_GROUP "' users, rc=%Rrc\n", rc);
+
+        }
+        else
+            VBClLogError("unable to grant IPC server socket access to '" VBOX_DRMIPC_USER_GROUP "', group does not exist\n");
+    }
+    else
+    {
+        rc = RTLocalIpcServerSetAccessMode(hIpcServer,
+                                           RTFS_UNIX_IRUSR | RTFS_UNIX_IWUSR |
+                                           RTFS_UNIX_IRGRP | RTFS_UNIX_IWGRP |
+                                           RTFS_UNIX_IROTH | RTFS_UNIX_IWOTH);
+        if (RT_SUCCESS(rc))
+            VBClLogInfo("IPC server socket access granted to all users\n");
+        else
+            VBClLogError("unable to grant IPC server socket access to all users, rc=%Rrc\n", rc);
+    }
+}
+
+/**
+ * Wait and handle '/VirtualBox/GuestAdd/DRMIpcRestricted' guest property change.
+ *
+ * This function is executed in context of main().
+ *
+ * @param   hIpcServer  IPC server handle.
+ */
+static void vbDrmPollIpcServerAccessMode(RTLOCALIPCSERVER hIpcServer)
+{
+    HGCMCLIENTID idClient;
+    int rc;
+
+    rc = VbglR3GuestPropConnect(&idClient);
+    if (RT_SUCCESS(rc))
+    {
+        do
+        {
+            /* Buffer should be big enough to fit guest property data layout: Name\0Value\0Flags\0. */
+            static char achBuf[GUEST_PROP_MAX_NAME_LEN];
+            uint64_t u64Timestamp = 0;
+
+            rc = VbglR3GuestPropWait(idClient, VBGLR3DRMIPCPROPRESTRICT, achBuf, sizeof(achBuf), u64Timestamp,
+                                     VBOX_DRMIPC_RX_TIMEOUT_MS, NULL, NULL, &u64Timestamp, NULL, NULL);
+            if (RT_SUCCESS(rc))
+                vbDrmSetIpcServerAccessPermissions(hIpcServer);
+            else if (rc != VERR_TIMEOUT)
+            {
+                VBClLogError("error on waiting guest property notification, rc=%Rrc\n", rc);
+                RTThreadSleep(VBOX_DRMIPC_RX_RELAX_MS);
+            }
+
+        } while (!ASMAtomicReadBool(&g_fShutdown));
+
+        VbglR3GuestPropDisconnect(idClient);
+    }
+    else
+        VBClLogError("cannot connect to VM guest properties service, rc=%Rrc\n", rc);
+}
+
 int main(int argc, char *argv[])
 {
@@ -1093 +1196 @@
     }
 
-    struct group *pGrp;
-    pGrp = getgrnam(VBOX_DRMIPC_USER_GROUP);
-    if (pGrp)
-    {
-        rc = RTLocalIpcServerGrantGroupAccess(hIpcServer, pGrp->gr_gid);
-        if (RT_FAILURE(rc))
-            VBClLogError("unable to grant IPC server socket access to '" VBOX_DRMIPC_USER_GROUP "', rc=%Rrc\n", rc);
-    }
-    else
-        VBClLogError("unable to grant IPC server socket access to '" VBOX_DRMIPC_USER_GROUP "', group does not exist\n");
+    /* Set IPC server socket access permissions according to VM configuration. */
+    vbDrmSetIpcServerAccessPermissions(hIpcServer);
 
     /* Attempt to start DRM resize task. */
@@ -1114 +1209 @@
         if (RT_SUCCESS(rc))
         {
+            /* Poll for host notification about IPC server socket access mode change. */
+            vbDrmPollIpcServerAccessMode(hIpcServer);
+
             /* HACK ALERT!
              * The sequence of RTThreadWait(drmResizeThread) -> RTLocalIpcServerDestroy() -> RTThreadWait(vbDrmIpcThread)