feat: implement peer-based systemd unit authorization for Varlink service methods

Author: shanefagan

Cargo.lock

@@ -22,6 +22,7 @@ sysinfo = "0.30"
 libc = "0.2"
 toml = "1.1.2"
 once_cell = "1.21.4"
+threadpool = "1.8.1"
 
 [build-dependencies]
 varlink_generator = "13.0"

Cargo.toml

@@ -14,3 +14,8 @@ diagnostics = 300
 # processes = ["Calculator"]
 # Hardware paths (udev paths) to ignore
 # devices = ["/sys/devices/virtual/input/input231"]
+
+[auth]
+# systemd units authorized to access restricted interfaces (e.g. RGB Control, Controller Registration)
+# If this list is empty, validation is disabled.
+# authorized_units = ["openrgb.service"]

examples/config.sample.toml

@@ -0,0 +1,94 @@
+//! Peer authentication and identity for contextd
+//!
+//! Provides utilities to identify the calling process on a Unix socket
+//! and map it to a systemd unit for granular access control.
+
+use std::cell::RefCell;
+use std::fs;
+use std::os::unix::io::AsRawFd;
+use std::os::unix::net::UnixStream;
+
+thread_local! {
+    /// Stores the credentials of the peer currently being handled by this thread.
+    static CURRENT_PEER: RefCell<Option<PeerInfo>> = const { RefCell::new(None) };
+}
+
+/// Information about the connected peer
+#[derive(Debug, Clone)]
+#[allow(dead_code)]
+pub struct PeerInfo {
+    pub pid: i32,
+    pub uid: u32,
+    pub gid: u32,
+    pub unit: Option<String>,
+}
+
+impl PeerInfo {
+    /// Extracts peer credentials from a UnixStream
+    pub fn from_stream(stream: &UnixStream) -> Option<Self> {
+        let fd = stream.as_raw_fd();
+        let mut ucred = libc::ucred {
+            pid: 0,
+            uid: 0,
+            gid: 0,
+        };
+        let mut len = std::mem::size_of::<libc::ucred>() as libc::socklen_t;
+
+        let res = unsafe {
+            libc::getsockopt(
+                fd,
+                libc::SOL_SOCKET,
+                libc::SO_PEERCRED,
+                &mut ucred as *mut _ as *mut _,
+                &mut len,
+            )
+        };
+
+        if res == 0 {
+            let pid = ucred.pid;
+            let unit = Self::get_unit_for_pid(pid);
+            Some(Self {
+                pid,
+                uid: ucred.uid,
+                gid: ucred.gid,
+                unit,
+            })
+        } else {
+            None
+        }
+    }
+
+    /// Attempts to find the systemd unit name for a given PID by reading its cgroup.
+    fn get_unit_for_pid(pid: i32) -> Option<String> {
+        let cgroup_path = format!("/proc/{}/cgroup", pid);
+        if let Ok(content) = fs::read_to_string(cgroup_path) {
+            // In cgroup v2, the format is "0::/path/to/unit"
+            for line in content.lines() {
+                if let Some(path) = line.strip_prefix("0::") {
+                    // Typical paths:
+                    // /system.slice/contextd.service
+                    // /user.slice/user-1000.slice/user@1000.service/app.slice/app-name.scope
+
+                    // We want the most specific .service or .scope name
+                    let parts: Vec<&str> = path.split('/').collect();
+                    for part in parts.iter().rev() {
+                        if part.ends_with(".service") || part.ends_with(".scope") {
+                            return Some(part.to_string());
+                        }
+                    }
+                }
+            }
+        }
+        None
+    }
+}
+
+/// Sets the current peer info for the local thread.
+pub fn set_current_peer(info: Option<PeerInfo>) {
+    CURRENT_PEER.with(|p| *p.borrow_mut() = info);
+}
+
+/// Gets the current peer info for the local thread.
+pub fn get_current_peer() -> Option<PeerInfo> {
+    CURRENT_PEER.with(|p| p.borrow().clone())
+}

src/auth.rs

@@ -16,6 +16,15 @@ pub struct Config {
     pub ttls: TtlConfig,
     #[serde(default)]
     pub blacklist: BlacklistConfig,
+    #[serde(default)]
+    pub auth: AuthConfig,
+}
+
+/// Authentication settings for peer validation
+#[derive(Debug, Deserialize, Clone, Default)]
+pub struct AuthConfig {
+    /// Systemd units authorized to access restricted interfaces (e.g. RGB Control)
+    pub authorized_units: Vec<String>,
 }
 
 /// TTL settings for various detectors (in seconds)

src/config.rs

@@ -78,3 +78,4 @@ method UnregisterController(pid: int) -> ()
 # Lists all active controller hints.
 method ListControllers() -> (controllers: []Controller)
 
+error PermissionDenied(unit: string)

src/contextd.varlink

@@ -8,16 +8,15 @@ mod contextd {
     #![allow(clippy::all, non_snake_case, non_camel_case_types, unused_imports)]
     include!(concat!(env!("OUT_DIR"), "/contextd.rs"));
 }
+mod auth;
 mod config;
 mod detectors;
 
 mod service;
 
 mod rgb;
 
-use std::sync::{Arc, RwLock};
-use varlink::VarlinkService;
-
+use crate::auth::{PeerInfo, set_current_peer};
 use crate::detectors::controllers::manager::ControllerManager;
 use crate::detectors::diagnostics::manager::DiagnosticsManager;
 use crate::detectors::games::heroic::HeroicDetector;
@@ -27,6 +26,11 @@ use crate::detectors::games::steam::SteamDetector;
 use crate::detectors::hardware::manager::HardwareManager;
 use crate::detectors::hardware::udev::UdevDetector;
 use crate::service::ContextService;
+use std::io::BufReader;
+use std::os::unix::net::UnixListener;
+use std::sync::{Arc, RwLock};
+use threadpool::ThreadPool;
+use varlink::{ConnectionHandler, VarlinkService};
 
 /// Helper to fix socket permissions and ownership
 fn spawn_permission_fixer(path: String, mode: u32, use_rgb_group: bool) {
@@ -183,13 +187,9 @@ fn main() -> anyhow::Result<()> {
         log::info!("Observer listening on {}", obs_addr);
         log::info!("Control listening on {}", ctrl_addr);
 
-        let config = varlink::ListenConfig {
-            initial_worker_threads: 1,
-            max_worker_threads: 128,
-            idle_timeout: 0,
-            ..Default::default()
-        };
-        varlink::listen(control_service, ctrl_addr, &config)?;
+        // For simplicity, we only run one blocking listener in the main thread.
+        // In RGB mode, the Control interface is the primary listener.
+        run_server(control_service, ctrl_addr)?;
     } else {
         log::info!("Starting Context Daemon in Core Mode...");
         let _ = std::fs::create_dir_all("/run/contextd/public");
@@ -224,13 +224,42 @@ fn main() -> anyhow::Result<()> {
         );
         log::info!("Core listening on {}", address);
 
-        let config = varlink::ListenConfig {
-            initial_worker_threads: 1,
-            max_worker_threads: 128,
-            idle_timeout: 0,
-            ..Default::default()
-        };
-        varlink::listen(varlink_service, address, &config)?;
+        run_server(varlink_service, address)?;
+    }
+
+    Ok(())
+}
+
+/// A custom Varlink server implementation that captures peer credentials.
+fn run_server(service: VarlinkService, address: &str) -> anyhow::Result<()> {
+    let path = address.trim_start_matches("unix:");
+    let listener = UnixListener::bind(path)?;
+    let pool = ThreadPool::new(128);
+    let service = Arc::new(service);
+
+    log::debug!("Custom Varlink server listening on {}", path);
+
+    for stream in listener.incoming() {
+        match stream {
+            Ok(stream) => {
+                let service = Arc::clone(&service);
+                let peer_info = PeerInfo::from_stream(&stream);
+
+                pool.execute(move || {
+                    set_current_peer(peer_info);
+                    let mut reader = BufReader::new(&stream);
+                    let mut writer = &stream;
+
+                    if let Err(e) = service.handle(&mut reader, &mut writer, None) {
+                        log::debug!("Connection closed: {}", e);
+                    }
+                    set_current_peer(None);
+                });
+            }
+            Err(e) => {
+                log::error!("Error accepting connection: {}", e);
+            }
+        }
     }
 
     Ok(())

src/main.rs

@@ -29,3 +29,4 @@ error InvalidMatrixSize(width: int, height: int, data_len: int)
 
 # A color component value is outside the valid range (0-255)
 error InvalidColorValue(component: string, value: int)
+error PermissionDenied(unit: string)