[BEEEP|PM-25164] Prevent memory dumping on renderer on Linux (#16136)

* Implement libmemory_security * Cleanup and add script * Remove duplicate build for flatpak * Rename to process isolation * Move to desktop native * Undo changes in gitignore * Remove after-pack changes * Run cargo fmt * Sort deps * Attempt to fix windows build * Update apps/desktop/desktop_native/process_isolation/Cargo.toml Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com> * Revert "Remove after-pack changes" This reverts commit c441025587. * Fix lib process isolation not being included in build * Fix build * Attempt to fix build * Attempt to fix build * Undo * Fix library not being included --------- Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
2025-12-21 02:33:46 +00:00 · 2025-10-13 15:06:41 +02:00
parent 14e7ee4818
commit a7242a1186
10 changed files with 178 additions and 5 deletions
--- a/apps/desktop/desktop_native/process_isolation/src/lib.rs
+++ b/apps/desktop/desktop_native/process_isolation/src/lib.rs
@@ -0,0 +1,46 @@
+#![cfg(target_os = "linux")]
+
+//! This library compiles to a pre-loadable shared object. When preloaded, it
+//! immediately isolates the process using the methods available on the platform.
+//! On Linux, this is PR_SET_DUMPABLE to prevent debuggers from attaching, the env
+//! from being read and the memory from being stolen.
+
+use desktop_core::process_isolation;
+use std::{ffi::c_char, sync::LazyLock};
+
+static ORIGINAL_UNSETENV: LazyLock<unsafe extern "C" fn(*const c_char) -> i32> =
+    LazyLock::new(|| unsafe {
+        std::mem::transmute(libc::dlsym(libc::RTLD_NEXT, c"unsetenv".as_ptr()))
+    });
+
+/// Hooks unsetenv to fix a bug in zypak-wrapper.
+/// Zypak unsets the env in Flatpak as a side-effect, which means that only the top level
+/// processes would be hooked. With this work-around all processes in the tree are hooked
+#[unsafe(no_mangle)]
+unsafe extern "C" fn unsetenv(name: *const c_char) -> i32 {
+    unsafe {
+        let Ok(name_str) = std::ffi::CStr::from_ptr(name).to_str() else {
+            return ORIGINAL_UNSETENV(name);
+        };
+
+        if name_str == "LD_PRELOAD" {
+            // This env variable is provided by the flatpak configuration
+            let ld_preload = std::env::var("PROCESS_ISOLATION_LD_PRELOAD").unwrap_or_default();
+            std::env::set_var("LD_PRELOAD", ld_preload);
+            return 0;
+        }
+
+        ORIGINAL_UNSETENV(name)
+    }
+}
+
+// Hooks the shared object being loaded into the process
+#[ctor::ctor]
+fn preload_init() {
+    let pid = unsafe { libc::getpid() };
+    unsafe {
+        println!("[Process Isolation] Enabling memory security for process {pid}");
+        process_isolation::isolate_process();
+        process_isolation::disable_coredumps();
+    }
+}