Tracking issue for the security and code-quality findings raised in the RustDesk maintainer's security review of libdrmtap-sys 0.4.3, the privileged TCB behind rustdesk/rustdesk#15420.
The review (architecture, full audit, summary) was thorough and is appreciated. It also credited what is already in place: fail-closed/unconditional confinement (the build hard-codes HAVE_LIBCAP/HAVE_SECCOMP and assert!s the link), the PR_SET_NO_NEW_PRIVS -> drop-caps -> default-KILL seccomp sequence, the /dev/dri/ device allowlist, no injection vectors, and correct client-side bounds checks.
TCB findings (this repo)
Out of scope here (consumer-side, tracked in the RustDesk PR)
The central deployment risk — a world-executable file-capability helper on multi-user hosts — and the related packaging fixes (install root:<group> 0750 instead of 0755, gate the helper copy on the actual feature, keep drm off in default builds, document the multi-user threat model) live in the RustDesk integration, not in libdrmtap, and are being handled on the PR.
On "author-authored privileged C, minimal external scrutiny"
The review fairly noted this code is new and authored by the same person submitting the PR. Tracking these findings publicly, with attribution, is part of addressing that: the security work on the TCB should be transparent and open to review. External scrutiny of the helper is welcome.
Reported by the RustDesk maintainer (reviewing as @rustdesk) in the security review of rustdesk/rustdesk#15420.
Tracking issue for the security and code-quality findings raised in the RustDesk maintainer's security review of
libdrmtap-sys 0.4.3, the privileged TCB behind rustdesk/rustdesk#15420.The review (architecture, full audit, summary) was thorough and is appreciated. It also credited what is already in place: fail-closed/unconditional confinement (the build hard-codes
HAVE_LIBCAP/HAVE_SECCOMPandassert!s the link), thePR_SET_NO_NEW_PRIVS-> drop-caps -> default-KILL seccomp sequence, the/dev/dri/device allowlist, no injection vectors, and correct client-side bounds checks.TCB findings (this repo)
open/openatfrom seccomp after device initO_RDONLYdrmtap_version()Out of scope here (consumer-side, tracked in the RustDesk PR)
The central deployment risk — a world-executable file-capability helper on multi-user hosts — and the related packaging fixes (install
root:<group> 0750instead of0755, gate the helper copy on the actual feature, keepdrmoff in default builds, document the multi-user threat model) live in the RustDesk integration, not in libdrmtap, and are being handled on the PR.On "author-authored privileged C, minimal external scrutiny"
The review fairly noted this code is new and authored by the same person submitting the PR. Tracking these findings publicly, with attribution, is part of addressing that: the security work on the TCB should be transparent and open to review. External scrutiny of the helper is welcome.
Reported by the RustDesk maintainer (reviewing as @rustdesk) in the security review of rustdesk/rustdesk#15420.