Right now credentials.ini is protected from prying eyes by the file modes of
its parent directories.

As an added layer of security this commit makes sure credentials.ini
itself is also given a restrictive file mode.

Closes: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/199

g_mkstemp() automatically sets CLOEXEC on the created file, so
avoids the need to do it later explicitly with fcntl.

Minor changes by Ray Strode.

Previously GDM shipped d-bus policy to allow gnome-remote-desktop to
talk to it. This caused two problems:

1. Errors from the bus daemon on systems that don't have g-r-d installed
2. Hardcoding the username "gnome-remote-desktop" when it's configurable
   on the g-r-d side

This commit adds the necessary policy to the g-r-d side instead.

The routing token, that the remote desktop client submits, MUST end with
the CR+LF sequence. When gnome-remote-desktop looks for that sequence,
it currently assumes, that after the CR, the buffer space for the LF
character is definitely provided.
A malicious client, however, might not submit further bytes after the CR
character and thus, gnome-remote-desktop would currently do a
out-of-bounds buffer read.

Fix this issue, by adjusting the buffer length check to account for the
situation, that 2 Bytes are actually read, instead of 1.

The routing token is "untrusted input" and may contain control
characters. At the moment, if debugging is enabled, those control
characters could end up in the journal. That isn't that big of a deal,
since the journal already masks control characters by default, but
still it's a little messy.

This commit prevalidates the routing token before adding it to debug
logs. It also adds a warning if the routing token is invalid and
prints out an encoded version of it in the debug logs in that case.

Right now authenticating for grdctl brings in the ability to enable
and disable arbitrary systemd services.

grdctl only uses this ability to change one service, but to protect
against bugs becoming security holes it's not a bad idea to farm
out the service configuration to a dedicated mechanism.

This commit does just that: introduces a new, minimal
gnome-remote-desktop-enable-service program that is hardwired to
enable/disable gnome-remote-desktop, and only for the
gnome-remote-desktop user.

This program only works for those callers that have
org.gnome.remotedesktop.configure-system-daemon polkit action.

Closes: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/197

When the remote desktop client closes the connection,
gnome-remote-desktop rejects a client, or a disconnect through the
network happens, gnome-remote-desktop currently outputs a message, that
it could no check the file descriptor of the client, which is usually
true. However, this message also confuses users, so that they think that
gnome-remote-desktop ran into some problem, when in reality it did not.

So, make this disconnection message more clear by actually specifying,
that the disconnect happened intentionally or by the network, instead of
stating, that the file descriptor could not be checked.

Since commit [0](rdp: Adapt to layout manager), this is not necessary
anymore.

[0]: 20aacc1f

Avoid large cleanup paths, when the creation of the NVENC session fails
by making the NvEncEncodeSession struct g_autoptr compatible and use
this autocleanup, when the actual session creation fails.
Also use 32-bit integers for the encode-width and encode-height, since
that is the type that is mostly used for these sizes in
gnome-remote-desktop.

gnome-remote-desktop already requires that, but does not actually check
that capability. As a result, clients not supporting the DRDYNVC SVC
would end up at a black screen as the graphics pipeline cannot be
initialized.
However, despite checking for this capability, this situation would
unlikely ever happen, as the DRDYNVC is a direct requirement of the
graphics pipeline, and thus not sending a Join Request for DRDYNVC would
be an error in the remote desktop client.

The buffer pool is required, when the stream becomes active, so ensure
that it is created first.
Also remove the NULL check, it is not necessary.

grd_rewrite_path_to_user_data_dir takes an optional path hint as
an argument. If the path hint is unsuitable, it's supposed to use
the passed in fallback path.

There's edge case where an unsuitable path hint fails, instead of
falls back: '.'.

This commit makes that case properly fall back as well.

This commit adds a function for testing the size and type of the
passed in fd.

This will be useful for adding additional tests to ImportCertificate
in a subsequent commit.

ImportCertificate currently trusts the passed in
file descriptors implicitly.

This is okay from a security perspective because the daemon
runs with less or equal privileges as the caller.

Still, it makes sense to do some basic checks just for added
resiliency.

This commit makes sure the private key and certificate are
no more than a few dozen kilobytes, and their file descriptors
aren't coming from character devices or anything like that.

Closes: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/198

The on_authorize_method function only authorizes rdp server methods, not
all methods. We really need to authorize handover methods, as well,
though, and that authorization will happen in a function of its own.

For clarity, this commit renames on_authorize_method to
on_authorize_rdp_server_method.

A future commit is going to need to call
get_handover_object_path_for_call higher up in the code.

As prep work for that, this commit moves the function definition
(along with the defintion for its helper: get_session_id_of_sender)
up with only minor spacing/style fixes.

Right now gnome-remote-desktop fails to validate up front that the
caller of methods on handover objects matches the user associated with
the session involved with the handover process.

This can lead to an information leak where the system certificate
and key are exposed to users not using remote desktop.

It can also, in some circumstances, allow one user to take control
of the RDP connection itself.

This commit adds validation so only the appropriate user of a handover
object can use it.

CVE-2024-5148

https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/196