From 8d9b6038ae855d81921956bf9b1c9b89700c9e47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 9 Jul 2024 09:16:03 +0200 Subject: [PATCH] Use QubesDB for knowing if mic is allowed or not --- Makefile | 4 +- debian/qubes-audio-daemon.install | 2 - pulse/pacat-simple-vchan.c | 144 ++++++++++++------------------ pulse/qubes.AudioInputDisable | 4 - pulse/qubes.AudioInputEnable | 4 - qubesguidaemon/mic.py | 74 ++++++++++----- rpm_spec/gui-daemon.spec.in | 2 - window-icon-updater/Makefile | 1 + 8 files changed, 113 insertions(+), 122 deletions(-) delete mode 100755 pulse/qubes.AudioInputDisable delete mode 100755 pulse/qubes.AudioInputEnable diff --git a/Makefile b/Makefile index 3b88e459..54e36d99 100644 --- a/Makefile +++ b/Makefile @@ -51,7 +51,7 @@ shmoverride/shmoverride.so: shmoverride/X-wrapper-qubes: (cd shmoverride; $(MAKE) X-wrapper-qubes) - + pulse/pacat-simple-vchan: $(MAKE) -C pulse pacat-simple-vchan @@ -65,8 +65,6 @@ install: install -D gui-daemon/qubes-guid $(DESTDIR)/usr/bin/qubes-guid install -m 0644 -D gui-daemon/qubes-guid.1 $(DESTDIR)$(MANDIR)/man1/qubes-guid.1 install -D pulse/pacat-simple-vchan $(DESTDIR)/usr/bin/pacat-simple-vchan - install -D pulse/qubes.AudioInputEnable $(DESTDIR)/etc/qubes-rpc/qubes.AudioInputEnable - install -D pulse/qubes.AudioInputDisable $(DESTDIR)/etc/qubes-rpc/qubes.AudioInputDisable install -D shmoverride/X-wrapper-qubes $(DESTDIR)/usr/bin/X-wrapper-qubes install -D shmoverride/shmoverride.so $(DESTDIR)$(LIBDIR)/qubes-gui-daemon/shmoverride.so install -D -m 0644 gui-daemon/guid.conf $(DESTDIR)/etc/qubes/guid.conf diff --git a/debian/qubes-audio-daemon.install b/debian/qubes-audio-daemon.install index 0b57c584..5064a855 100644 --- a/debian/qubes-audio-daemon.install +++ b/debian/qubes-audio-daemon.install @@ -1,3 +1 @@ usr/bin/pacat-simple-vchan -etc/qubes-rpc/qubes.AudioInputEnable -etc/qubes-rpc/qubes.AudioInputDisable diff --git a/pulse/pacat-simple-vchan.c b/pulse/pacat-simple-vchan.c index ec799010..ea8a22b7 100644 --- a/pulse/pacat-simple-vchan.c +++ b/pulse/pacat-simple-vchan.c @@ -809,102 +809,91 @@ static void check_vchan_eof_timer(pa_mainloop_api*a, pa_time_event* e, a->time_restart(e, &restart_tv); } +int is_rec_allowed_from_qdb(struct userdata *u) { + int new_rec_allowed; + char *qdb_entry = qdb_read(u->qdb, u->qdb_path, NULL); + + if (qdb_entry != NULL) { + if (strcmp(qdb_entry, "0") == 0) { + new_rec_allowed = 0; + } else if (strcmp(qdb_entry, "1") == 0) { + new_rec_allowed = 1; + } else { + pacat_log("invalid value from Qubes DB"); + new_rec_allowed = -1; + } + } else { + new_rec_allowed = -errno; + if (new_rec_allowed == -ENOENT) + pacat_log("no %s entry in QubesDB", u->qdb_path); + else + pacat_log("unable to obtain %s entry from QubesDB", u->qdb_path); + } + + free(qdb_entry); + + return new_rec_allowed; +} + static void control_socket_callback(pa_mainloop_api *UNUSED(a), - pa_io_event *UNUSED(e), int fd, pa_io_event_flags_t f, + pa_io_event *UNUSED(e), int UNUSED(fd), pa_io_event_flags_t f, void *userdata) { + struct userdata *u = userdata; - int client_fd; - char command_buffer[32]; - size_t command_len = 0; - int ret; int new_rec_allowed = -1; - if (!(f & PA_IO_EVENT_INPUT)) - return; + pacat_log("callback %d", new_rec_allowed); - client_fd = accept(fd, NULL, NULL); - if (client_fd < 0) { - pacat_log("Accept control connection failed: %s", strerror(errno)); + if (!(f & PA_IO_EVENT_INPUT)) return; - } - - /* read until either: - * - end of command (\n) is found - * - EOF - */ - do { - ret = read(client_fd, command_buffer+command_len, sizeof(command_buffer)-command_len); - if (ret < 0) { - pacat_log("Control client read failed: %s", strerror(errno)); - return; - } - command_len += ret; - if (ret == 0) - break; - } while (!memchr(command_buffer + (command_len-ret), '\n', ret)); - if (strncmp(command_buffer, "audio-input 0\n", command_len) == 0) { - new_rec_allowed = 0; - } else if (strncmp(command_buffer, "audio-input 1\n", command_len) == 0) { - new_rec_allowed = 1; - } else { - pacat_log("Invalid command buffer"); - return; - } + new_rec_allowed = is_rec_allowed_from_qdb(u); if (new_rec_allowed != -1) { g_mutex_lock(&u->prop_mutex); - u->rec_allowed = new_rec_allowed; - pacat_log("Setting audio-input to %s", u->rec_allowed ? "enabled" : "disabled"); - if (u->rec_allowed && u->rec_requested) { - pacat_log("Recording start"); - pa_stream_cork(u->rec_stream, 0, NULL, NULL); - } else if (!u->rec_allowed && u->rec_stream && - (u->rec_requested || !pa_stream_is_corked(u->rec_stream))) { - pacat_log("Recording stop"); - pa_stream_cork(u->rec_stream, 1, NULL, NULL); + pacat_log("something %d", new_rec_allowed); + if (new_rec_allowed != u->rec_allowed) { + pacat_log("something else %d", new_rec_allowed); + u->rec_allowed = new_rec_allowed; + pacat_log("Setting audio-input to %s", u->rec_allowed ? "enabled" : "disabled"); + if (u->rec_allowed && u->rec_requested) { + pacat_log("Recording start"); + pa_stream_cork(u->rec_stream, 0, NULL, NULL); + } else if (!u->rec_allowed && u->rec_stream && + (u->rec_requested || !pa_stream_is_corked(u->rec_stream))) { + pacat_log("Recording stop"); + pa_stream_cork(u->rec_stream, 1, NULL, NULL); + } + if (!qdb_write(u->qdb, u->qdb_path, new_rec_allowed ? "1" : "0", 1)) { + pacat_log("Failed to write QubesDB %s: %s", u->qdb_path, strerror(errno)); + } } g_mutex_unlock(&u->prop_mutex); - if (!qdb_write(u->qdb, u->qdb_path, new_rec_allowed ? "1" : "0", 1)) { - pacat_log("Failed to write QubesDB %s: %s", u->qdb_path, strerror(errno)); - } } - /* accept only one command per connection */ - close(client_fd); } static int setup_control(struct userdata *u) { int socket_fd = -1; - /* better safe than sorry - zero initialize the buffer */ - struct sockaddr_un addr = { 0 }; - socket_fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (socket_fd == -1) { - pacat_log("socket failed: %s", strerror(errno)); + u->qdb = qdb_open(NULL); + if (!u->qdb) { + pacat_log("qdb_open failed: %s", strerror(errno)); goto fail; } - if ((size_t)snprintf(addr.sun_path, sizeof(addr.sun_path), - "/var/run/qubes/audio-control.%s", u->name) - >= sizeof(addr.sun_path)) { - pacat_log("VM name too long"); + if (asprintf(&u->qdb_path, "/audio-input/%s", u->name) < 0) { + pacat_log("QubesDB path setup failed: %s", strerror(errno)); + u->qdb_path = NULL; goto fail; } - /* without this line, the bind() fails in many linux versions - with Invalid Argument, and mic cannot attach */ - addr.sun_family = AF_UNIX; - - /* ignore result */ - unlink(addr.sun_path); - if (bind(socket_fd, &addr, sizeof(addr)) == -1) { - pacat_log("bind to %s failed: %s", addr.sun_path, strerror(errno)); + if (!qdb_watch(u->qdb, u->qdb_path)) { + pacat_log("failed to setup watch on %s: %m\n", u->qdb_path); goto fail; } - if (listen(socket_fd, 5) == -1) { - pacat_log("listen on %s failed: %s", addr.sun_path, strerror(errno)); + socket_fd = qdb_watch_fd(u->qdb); + if (socket_fd < 0) goto fail; - } u->control_socket_event = u->mainloop_api->io_new(u->mainloop_api, socket_fd, PA_IO_EVENT_INPUT, control_socket_callback, u); @@ -913,23 +902,6 @@ static int setup_control(struct userdata *u) { goto fail; } - u->qdb = qdb_open(NULL); - if (!u->qdb) { - pacat_log("qdb_open failed: %s", strerror(errno)); - goto fail; - } - - if (asprintf(&u->qdb_path, "/audio-input/%s", u->name) < 0) { - pacat_log("QubesDB path setup failed: %s", strerror(errno)); - u->qdb_path = NULL; - goto fail; - } - - if (!qdb_write(u->qdb, u->qdb_path, "0", 1)) { - pacat_log("qdb_write failed: %s", strerror(errno)); - goto fail; - } - u->control_socket_fd = socket_fd; return 0; @@ -956,8 +928,6 @@ static void control_cleanup(struct userdata *u) { u->mainloop_api->io_free(u->control_socket_event); if (u->control_socket_fd > 0) close(u->control_socket_fd); - if (u->qdb && u->qdb_path) - qdb_rm(u->qdb, u->qdb_path); if (u->qdb_path) free(u->qdb_path); if (u->qdb) diff --git a/pulse/qubes.AudioInputDisable b/pulse/qubes.AudioInputDisable deleted file mode 100755 index 7c82eb5f..00000000 --- a/pulse/qubes.AudioInputDisable +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -[ -n "$1" ] || exit 1 -control_socket="/var/run/qubes/audio-control.$1" -echo "audio-input 0" | socat -u - "UNIX-CONNECT:$control_socket" diff --git a/pulse/qubes.AudioInputEnable b/pulse/qubes.AudioInputEnable deleted file mode 100755 index 150f5af9..00000000 --- a/pulse/qubes.AudioInputEnable +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -[ -n "$1" ] || exit 1 -control_socket="/var/run/qubes/audio-control.$1" -echo "audio-input 1" | socat -u - "UNIX-CONNECT:$control_socket" diff --git a/qubesguidaemon/mic.py b/qubesguidaemon/mic.py index e5006bde..69b88b09 100644 --- a/qubesguidaemon/mic.py +++ b/qubesguidaemon/mic.py @@ -51,7 +51,8 @@ class MicDeviceExtension(qubes.ext.Extension): def __init__(self): super(MicDeviceExtension, self).__init__() - def get_device(self, app): + @staticmethod + def get_device(app): return MicDevice( app.domains[0], product="microphone", manufacturer="build-in" ) @@ -99,7 +100,7 @@ def on_device_list_attached_mic(self, vm, event, persistent=None): ) if untrusted_audio_input == b"1": # (device, options) - yield (self.get_device(vm.app), {}) + yield self.get_device(vm.app), {} @qubes.ext.handler("device-pre-attach:mic") async def on_device_pre_attach_mic(self, vm, event, device, options): @@ -123,16 +124,22 @@ async def on_device_pre_attach_mic(self, vm, event, device, options): raise qubes.exc.QubesVMNotRunningError( audiovm, "Audio VM {} isn't running".format(audiovm) ) - try: - await audiovm.run_service_for_stdio( - "qubes.AudioInputEnable+{}".format(vm.name) - ) - except subprocess.CalledProcessError: - raise qubes.exc.QubesVMError( - vm, - "Failed to attach audio input from {!s} to {!s}: " - "pulseaudio agent not running".format(audiovm, vm), - ) + + if audiovm.features.check_with_netvm( + "supported-rpc.qubes.AudioInputEnable", False + ): + try: + await audiovm.run_service_for_stdio( + "qubes.AudioInputEnable+{}".format(vm.name) + ) + except subprocess.CalledProcessError: + raise qubes.exc.QubesVMError( + vm, + "Failed to attach audio input from {!s} to {!s}: " + "pulseaudio agent not running".format(audiovm, vm), + ) + else: + audiovm.untrusted_qdb.write("/audio-input/{}".format(vm.name), "1") # pylint: disable=unused-argument @qubes.ext.handler("device-pre-detach:mic") @@ -153,13 +160,40 @@ async def on_device_pre_detach_mic(self, vm, event, device): raise qubes.exc.QubesVMNotRunningError( audiovm, "Audio VM {} isn't running".format(audiovm) ) - try: - await audiovm.run_service_for_stdio( - "qubes.AudioInputDisable+{}".format(vm.name) + + if audiovm.features.check_with_netvm( + "supported-rpc.qubes.AudioInputDisable", False + ): + try: + await audiovm.run_service_for_stdio( + "qubes.AudioInputDisable+{}".format(vm.name) + ) + except subprocess.CalledProcessError: + raise qubes.exc.QubesVMError( + vm, + "Failed to detach audio input from {!s} to {!s}: " + "pulseaudio agent not running".format(audiovm, vm), + ) + else: + audiovm.untrusted_qdb.write("/audio-input/{}".format(vm.name), "0") + + @qubes.ext.handler("property-set:audiovm") + def on_property_set( + self, subject, event, name, newvalue, oldvalue=None + ): + if newvalue == oldvalue: + return + if oldvalue: + mic_allowed = oldvalue.untrusted_qdb.read( + "/audio-input/{}".format(subject.name) ) - except subprocess.CalledProcessError: - raise qubes.exc.QubesVMError( - vm, - "Failed to detach audio input from {!s} to {!s}: " - "pulseaudio agent not running".format(audiovm, vm), + if mic_allowed not in (b"0", b"1"): + raise qubes.exc.QubesVMError( + subject, + "Invalid value for /audio-input/{!s} from {!s}".format( + subject.name, oldvalue + ), + ) + newvalue.untrusted_qdb.write( + "/audio-input/{}".format(subject.name), mic_allowed ) diff --git a/rpm_spec/gui-daemon.spec.in b/rpm_spec/gui-daemon.spec.in index bc5288d4..961a0880 100644 --- a/rpm_spec/gui-daemon.spec.in +++ b/rpm_spec/gui-daemon.spec.in @@ -184,8 +184,6 @@ rm -f %{name}-%{version} %files -n qubes-audio-daemon /usr/bin/pacat-simple-vchan -/etc/qubes-rpc/qubes.AudioInputEnable -/etc/qubes-rpc/qubes.AudioInputDisable %files -n qubes-gui-dom0 %config(noreplace) %{_sysconfdir}/qubes/policy.d/90-default-gui-daemon.policy diff --git a/window-icon-updater/Makefile b/window-icon-updater/Makefile index 0e8009ba..295ccbef 100644 --- a/window-icon-updater/Makefile +++ b/window-icon-updater/Makefile @@ -3,6 +3,7 @@ all: install: install -D icon-receiver $(DESTDIR)/usr/lib/qubes/icon-receiver + install -d $(DESTDIR)/etc/qubes-rpc ln -s /var/run/qubes/icon-receiver.sock $(DESTDIR)/etc/qubes-rpc/qubes.WindowIconUpdater install -d $(DESTDIR)/etc/qubes/rpc-config install -m 0664 -D qubes.WindowIconUpdater.config $(DESTDIR)/etc/qubes/rpc-config/qubes.WindowIconUpdater