fix(Device Hiding): add 'hide_from_root' option to allow moving devnode during hide logic

ShadowApex · ShadowApex · commit d9cad1e550a5 · 2026-02-01T09:15:34.000-08:00
diff --git a/src/config/mod.rs b/src/config/mod.rs
@@ -261,6 +261,10 @@ pub struct SourceDevice {
     /// will not be hidden or grabbed. Defaults to false.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub passthrough: Option<bool>,
+    /// If true, the source device node will be moved to /dev/inputplumber/sources in
+    /// order to try to prevent elevated processes from reading events from the device.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub hide_from_root: Option<bool>,
     /// Defines which events are included or excluded from input processing by
     /// the source device.
     #[serde(skip_serializing_if = "Option::is_none")]
diff --git a/src/input/composite_device/mod.rs b/src/input/composite_device/mod.rs
@@ -40,7 +40,7 @@ use crate::{
         },
         target::TargetDeviceTypeId,
     },
-    udev::{hide_device, unhide_device},
+    udev::{hide_device, unhide_device, HideFlag},
 };
 
 use self::{client::CompositeDeviceClient, command::CompositeCommand};
@@ -123,7 +123,7 @@ pub struct CompositeDevice {
     source_devices_discovered: Vec<SourceDevice>,
     /// Source devices that should be hidden before they are started. This
     /// is a list of devnode paths to hide (e.g. ["/dev/input/event10", "/dev/hidraw1"])
-    source_devices_to_hide: Vec<String>,
+    source_devices_to_hide: Vec<(String, &'static [HideFlag])>,
     /// HashSet of source devices that are blocked from passing their input events to target
     /// events.
     source_devices_blocked: HashSet<String>,
@@ -650,9 +650,9 @@ impl CompositeDevice {
     /// consume.
     async fn run_source_devices(&mut self) -> Result<(), Box<dyn Error>> {
         // Hide the device if specified
-        for source_path in self.source_devices_to_hide.drain(..) {
+        for (source_path, flags) in self.source_devices_to_hide.drain(..) {
             log::debug!("Hiding device: {}", source_path);
-            if let Err(e) = hide_device(source_path.as_str()).await {
+            if let Err(e) = hide_device(source_path.as_str(), flags).await {
                 log::warn!("Failed to hide device '{source_path}': {e:?}");
             }
             log::debug!("Finished hiding device: {source_path}");
@@ -1713,7 +1713,13 @@ impl CompositeDevice {
                     !should_passthru && subsystem.as_str() != "iio" && subsystem.as_str() != "tty";
                 if should_hide {
                     let source_path = device.devnode();
-                    self.source_devices_to_hide.push(source_path);
+                    let hide_from_root = source_config.as_ref().and_then(|c| c.hide_from_root);
+                    let flags: &[HideFlag] = if hide_from_root.unwrap_or_default() {
+                        &[HideFlag::ChangePermissions, HideFlag::MoveSourceDevice]
+                    } else {
+                        &[HideFlag::ChangePermissions]
+                    };
+                    self.source_devices_to_hide.push((source_path, flags));
                 }
 
                 match subsystem.as_str() {
diff --git a/src/udev/mod.rs b/src/udev/mod.rs
@@ -17,8 +17,15 @@ const RULE_HIDE_DEVICE_EARLY_PRIORITY: &str = "50";
 const RULE_HIDE_DEVICE_LATE_PRIORITY: &str = "96";
 const RULES_PREFIX: &str = "/run/udev/rules.d";
 
+/// HideFlags can be used to change the behavior of how devices are hidden.
+#[derive(Debug, PartialEq, Eq)]
+pub enum HideFlag {
+    ChangePermissions,
+    MoveSourceDevice,
+}
+
 /// Hide the given input device from regular users.
-pub async fn hide_device(path: &str) -> Result<(), Box<dyn Error>> {
+pub async fn hide_device(path: &str, flags: &[HideFlag]) -> Result<(), Box<dyn Error>> {
     // Get the device to hide
     let device = get_device(path.to_string()).await?;
     let name = device.name.clone();
@@ -30,34 +37,64 @@ pub async fn hide_device(path: &str) -> Result<(), Box<dyn Error>> {
         return Err("Unable to create match rule for device".into());
     };
 
-    // Create the directory to move devnodes to
-    tokio::fs::create_dir_all("/dev/inputplumber/sources").await?;
+    // Create the udev rule content to update permissions on the source node.
+    let mut chmod_early_rule = String::new();
+    let mut chmod_late_rule = String::new();
+    if flags.contains(&HideFlag::ChangePermissions) {
+        // Find the chmod command to use for hiding
+        let chmod_cmd = if Path::new("/bin/chmod").exists() {
+            "/bin/chmod".to_string()
+        } else if Path::new("/usr/bin/chmod").exists() {
+            "/usr/bin/chmod".to_string()
+        } else {
+            let output = Command::new("which").arg("chmod").output().await?;
+            if !output.status.success() {
+                return Err("Unable to determine chmod command location".into());
+            }
+            str::from_utf8(output.stdout.as_slice())?.trim().to_string()
+        };
 
-    // Find the chmod command to use for hiding
-    let chmod_cmd = if Path::new("/bin/chmod").exists() {
-        "/bin/chmod".to_string()
-    } else if Path::new("/usr/bin/chmod").exists() {
-        "/usr/bin/chmod".to_string()
-    } else {
-        let output = Command::new("which").arg("chmod").output().await?;
-        if !output.status.success() {
-            return Err("Unable to determine chmod command location".into());
-        }
-        str::from_utf8(output.stdout.as_slice())?.trim().to_string()
-    };
+        // Build the rule content
+        chmod_early_rule = format!(
+            r#"KERNEL=="js[0-9]*|event[0-9]*", SUBSYSTEM=="{subsystem}", MODE:="0000", GROUP:="root", RUN+="{chmod_cmd} 000 /dev/input/%k", SYMLINK+="inputplumber/by-hidden/%k"
+KERNEL=="hidraw[0-9]*", SUBSYSTEM=="{subsystem}", MODE:="0000", GROUP:="root", RUN+="{chmod_cmd} 000 /dev/%k", SYMLINK+="inputplumber/by-hidden/%k"
+"#
+        );
+        chmod_late_rule = format!(
+            r#"KERNEL=="js[0-9]*|event[0-9]*", SUBSYSTEM=="{subsystem}", MODE="000", GROUP="root", TAG-="uaccess", RUN+="{chmod_cmd} 000 /dev/input/%k"
+KERNEL=="hidraw[0-9]*", SUBSYSTEM=="{subsystem}", MODE="000", GROUP="root", TAG-="uaccess", RUN+="{chmod_cmd} 000 /dev/%k"
+"#
+        );
+    }
 
-    // Find the mv command to use for hiding
-    let mv_cmd = if Path::new("/bin/mv").exists() {
-        "/bin/mv".to_string()
-    } else if Path::new("/usr/bin/mv").exists() {
-        "/usr/bin/mv".to_string()
-    } else {
-        let output = Command::new("which").arg("mv").output().await?;
-        if !output.status.success() {
-            return Err("Unable to determine mv command location".into());
-        }
-        str::from_utf8(output.stdout.as_slice())?.trim().to_string()
-    };
+    // Create the udev rule content to move the device node
+    let mut mv_early_rule = String::new();
+    let mut mv_late_rule = String::new();
+    if flags.contains(&HideFlag::MoveSourceDevice) {
+        // Create the directory to move devnodes to
+        tokio::fs::create_dir_all("/dev/inputplumber/sources").await?;
+
+        // Find the mv command to use for hiding
+        let mv_cmd = if Path::new("/bin/mv").exists() {
+            "/bin/mv".to_string()
+        } else if Path::new("/usr/bin/mv").exists() {
+            "/usr/bin/mv".to_string()
+        } else {
+            let output = Command::new("which").arg("mv").output().await?;
+            if !output.status.success() {
+                return Err("Unable to determine mv command location".into());
+            }
+            str::from_utf8(output.stdout.as_slice())?.trim().to_string()
+        };
+
+        // Build the rule content
+        mv_early_rule = format!(
+            r#"KERNEL=="js[0-9]*|event[0-9]*", SUBSYSTEM=="{subsystem}", RUN+="{mv_cmd} /dev/input/%k /dev/inputplumber/sources/%k"
+KERNEL=="hidraw[0-9]*", SUBSYSTEM=="{subsystem}", RUN+="{mv_cmd} /dev/%k /dev/inputplumber/sources/%k"
+"#
+        );
+        mv_late_rule = mv_early_rule.clone();
+    }
 
     // Create an early udev rule to hide the device
     let rule = format!(
@@ -66,10 +103,8 @@ pub async fn hide_device(path: &str) -> Result<(), Box<dyn Error>> {
 {match_rule}, GOTO="inputplumber_valid"
 GOTO="inputplumber_end"
 LABEL="inputplumber_valid"
-KERNEL=="js[0-9]*|event[0-9]*", SUBSYSTEM=="{subsystem}", MODE:="0000", GROUP:="root", RUN+="{chmod_cmd} 000 /dev/input/%k", SYMLINK+="inputplumber/by-hidden/%k"
-KERNEL=="hidraw[0-9]*", SUBSYSTEM=="{subsystem}", MODE:="0000", GROUP:="root", RUN+="{chmod_cmd} 000 /dev/%k", SYMLINK+="inputplumber/by-hidden/%k"
-KERNEL=="js[0-9]*|event[0-9]*", SUBSYSTEM=="{subsystem}", RUN+="{mv_cmd} /dev/input/%k /dev/inputplumber/sources/%k"
-KERNEL=="hidraw[0-9]*", SUBSYSTEM=="{subsystem}", RUN+="{mv_cmd} /dev/%k /dev/inputplumber/sources/%k"
+{chmod_early_rule}
+{mv_early_rule}
 LABEL="inputplumber_end"
 "#
     );
@@ -87,10 +122,8 @@ LABEL="inputplumber_end"
 {match_rule}, GOTO="inputplumber_valid"
 GOTO="inputplumber_end"
 LABEL="inputplumber_valid"
-KERNEL=="js[0-9]*|event[0-9]*", SUBSYSTEM=="{subsystem}", MODE="000", GROUP="root", TAG-="uaccess", RUN+="{chmod_cmd} 000 /dev/input/%k"
-KERNEL=="hidraw[0-9]*", SUBSYSTEM=="{subsystem}", MODE="000", GROUP="root", TAG-="uaccess", RUN+="{chmod_cmd} 000 /dev/%k"
-KERNEL=="js[0-9]*|event[0-9]*", SUBSYSTEM=="{subsystem}", RUN+="{mv_cmd} /dev/input/%k /dev/inputplumber/sources/%k"
-KERNEL=="hidraw[0-9]*", SUBSYSTEM=="{subsystem}", RUN+="{mv_cmd} /dev/%k /dev/inputplumber/sources/%k"
+{chmod_late_rule}
+{mv_late_rule}
 LABEL="inputplumber_end"
 "#
     );
