From ee08211ee725385a389ee40268be4e798caf1b20 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Borys=20Pop=C5=82awski?= <borysp@invisiblethingslab.com>
Date: Wed, 18 Aug 2021 03:34:08 +0200
Subject: [PATCH] Disallow running Graphene as root
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
---
 Runtime/pal_loader | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Runtime/pal_loader b/Runtime/pal_loader
index 169423ca42..8ff99b7890 100755
--- a/Runtime/pal_loader
+++ b/Runtime/pal_loader
@@ -22,6 +22,16 @@ then
     exit 1
 fi
 
+if [ -z "$I_AM_AWARE_OF_CONSEQUENCES_AND_I_WONT_SUBMIT_GRAPHENE_REPORTS_WITH_THIS_ENABLED" ] && \
+    [ "$(id -u 2>/dev/null)" == "0" ]
+then
+    if tail /proc/kallsyms 2>/dev/null | grep -q ffff
+    then
+        echo "Please don't run Graphene as root!" >&2
+        exit 1
+    fi
+fi
+
 PAL_CMD=@PAL_CMD@
 LIBPAL_PATH=@LIBPAL_PATH@
 HOST_PAL_PATH=@HOST_PAL_PATH@