fced221684
Move 36 platform-specific files into per-module `windows/` and `linux/` subfolders (and the
shared HID codecs into `inject/proto/`):
capture/{windows,linux}/ encode/{windows,linux}/ inject/{windows,linux,proto}/
audio/{windows,linux}/ vdisplay/{windows,linux}/
src/windows/ (service, wgc_helper, win_adapter, win_display)
src/linux/ (dmabuf_fence, drm_sync, zerocopy/)
Done with `#[path]`, NOT a module rename: every file moves into its folder while the
`crate::*::*` module names stay FLAT, so all caller paths and every internal `super::`/`crate::`
reference are unchanged — only the parent `mod` decls gained `#[path = "..."]`. This is the
codebase's existing pattern (inject's gamepad_windows) and makes the move byte-identical in
behaviour with ZERO reference churn, far lower risk than collapsing to a single
`crate::capture::windows::` namespace (that deeper rename is an optional follow-on; this delivers
the cfg-sprawl folder confinement the stage is about). Done LAST, after the semantic stages, so
the path churn didn't fight them.
Verified: Linux cargo check + clippy (-D warnings) clean; my mod-decl changes fmt-clean (the 3
remaining fmt diffs are pre-existing local-rustfmt-version skew that moved with their files); all
36 `#[path]` targets exist; no internal `#[path]`/`include!`/file-child-mod in any moved file
(the inline `mod X {` blocks are self-contained). Box build to follow.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
135 lines
5.4 KiB
Rust
135 lines
5.4 KiB
Rust
//! Input-desktop watcher (Windows) — the authoritative "normal vs secure desktop" signal for the
|
|
//! two-process secure-desktop design (docs/windows-secure-desktop.md).
|
|
//!
|
|
//! Windows switches the *input desktop* to "Winlogon" (the secure desktop) for UAC elevation, the
|
|
//! lock screen and the login screen, and back to "Default" for the normal session. WGC captures only
|
|
//! the normal desktop; DDA-as-SYSTEM captures the secure one. A dedicated thread polls the input
|
|
//! desktop's NAME (WTS session notifications miss UAC entirely, so the name is the reliable signal)
|
|
//! and publishes it as an atomic the capture mux + input path read.
|
|
|
|
use std::sync::atomic::{AtomicBool, AtomicU8, Ordering};
|
|
use std::sync::Arc;
|
|
use std::time::Duration;
|
|
use windows::Win32::Foundation::HANDLE;
|
|
use windows::Win32::System::StationsAndDesktops::{
|
|
CloseDesktop, GetUserObjectInformationW, OpenInputDesktop, DESKTOP_ACCESS_FLAGS,
|
|
DESKTOP_CONTROL_FLAGS, UOI_NAME,
|
|
};
|
|
|
|
/// The normal interactive desktop ("Default") — WGC capture applies.
|
|
pub const DESKTOP_NORMAL: u8 = 0;
|
|
/// The secure desktop ("Winlogon": UAC / lock / login) — DDA-as-SYSTEM capture applies.
|
|
pub const DESKTOP_SECURE: u8 = 1;
|
|
|
|
/// Polls the input-desktop name on its own thread and publishes [`DESKTOP_NORMAL`]/[`DESKTOP_SECURE`].
|
|
pub struct DesktopWatcher {
|
|
state: Arc<AtomicU8>,
|
|
stop: Arc<AtomicBool>,
|
|
}
|
|
|
|
impl DesktopWatcher {
|
|
pub fn start() -> Self {
|
|
// Compute the CURRENT desktop synchronously before returning, so the first reader (the capture
|
|
// mux) sees the real state immediately. Otherwise a session that begins already on the secure
|
|
// desktop (e.g. a reconnect to a locked box) would read DESKTOP_NORMAL for the first poll
|
|
// interval and relay one stale normal-desktop frame — the "flash of the login screen" bug.
|
|
let initial = if unsafe { is_secure_desktop() } {
|
|
DESKTOP_SECURE
|
|
} else {
|
|
DESKTOP_NORMAL
|
|
};
|
|
let state = Arc::new(AtomicU8::new(initial));
|
|
let stop = Arc::new(AtomicBool::new(false));
|
|
let s = state.clone();
|
|
let st = stop.clone();
|
|
let _ = std::thread::Builder::new()
|
|
.name("desktop-watch".into())
|
|
.spawn(move || {
|
|
// Debounce: only publish a change after the raw reading has been stable for several
|
|
// polls. The input desktop flaps Default↔Winlogon transiently during a lock/UAC
|
|
// transition; publishing every flap makes the capture mux thrash (rebuild storms).
|
|
const STABLE_POLLS: u32 = 4; // ~80ms
|
|
let mut published = initial;
|
|
let mut candidate = initial;
|
|
let mut stable = 0u32;
|
|
while !st.load(Ordering::Relaxed) {
|
|
let v = if unsafe { is_secure_desktop() } {
|
|
DESKTOP_SECURE
|
|
} else {
|
|
DESKTOP_NORMAL
|
|
};
|
|
if v == candidate {
|
|
stable = stable.saturating_add(1);
|
|
} else {
|
|
candidate = v;
|
|
stable = 1;
|
|
}
|
|
if stable >= STABLE_POLLS && candidate != published {
|
|
s.store(candidate, Ordering::Release);
|
|
published = candidate;
|
|
tracing::info!(
|
|
desktop = if candidate == DESKTOP_SECURE {
|
|
"Winlogon(secure)"
|
|
} else {
|
|
"Default"
|
|
},
|
|
"input desktop changed (debounced)"
|
|
);
|
|
}
|
|
std::thread::sleep(Duration::from_millis(20));
|
|
}
|
|
});
|
|
DesktopWatcher { state, stop }
|
|
}
|
|
|
|
/// The shared atomic ([`DESKTOP_NORMAL`]/[`DESKTOP_SECURE`]) for the capture mux to read.
|
|
pub fn state(&self) -> Arc<AtomicU8> {
|
|
self.state.clone()
|
|
}
|
|
|
|
/// True when the secure (Winlogon) desktop is the input desktop right now.
|
|
pub fn is_secure(&self) -> bool {
|
|
self.state.load(Ordering::Acquire) == DESKTOP_SECURE
|
|
}
|
|
}
|
|
|
|
impl Drop for DesktopWatcher {
|
|
fn drop(&mut self) {
|
|
self.stop.store(true, Ordering::Relaxed);
|
|
}
|
|
}
|
|
|
|
/// True if the current input desktop is "Winlogon" (the secure desktop). Best-effort: if the desktop
|
|
/// can't be opened or named, report not-secure (the safe default — keep WGC/normal capture).
|
|
pub(crate) unsafe fn is_secure_desktop() -> bool {
|
|
let desk = match OpenInputDesktop(
|
|
DESKTOP_CONTROL_FLAGS(0),
|
|
false,
|
|
DESKTOP_ACCESS_FLAGS(DESKTOP_READOBJECTS),
|
|
) {
|
|
Ok(d) => d,
|
|
Err(_) => return false,
|
|
};
|
|
let mut buf = [0u16; 64];
|
|
let mut needed = 0u32;
|
|
let ok = GetUserObjectInformationW(
|
|
HANDLE(desk.0),
|
|
UOI_NAME,
|
|
Some(buf.as_mut_ptr() as *mut _),
|
|
(buf.len() * 2) as u32,
|
|
Some(&mut needed),
|
|
)
|
|
.is_ok();
|
|
let _ = CloseDesktop(desk);
|
|
if !ok {
|
|
return false;
|
|
}
|
|
let name = String::from_utf16_lossy(&buf);
|
|
name.trim_end_matches('\u{0}')
|
|
.eq_ignore_ascii_case("Winlogon")
|
|
}
|
|
|
|
/// `DESKTOP_READOBJECTS` access right (the windows crate exposes it as a typed flag; we need the raw
|
|
/// bit for `OpenInputDesktop`'s access mask).
|
|
const DESKTOP_READOBJECTS: u32 = 0x0001;
|