10 files changed, 101 insertions, 87 deletions
diff --git a/unix/vncpasswd/CMakeLists.txt b/unix/vncpasswd/CMakeLists.txt
index 6ed4adaf..2acc9288 100644
--- a/unix/vncpasswd/CMakeLists.txt
+++ b/unix/vncpasswd/CMakeLists.txt
@@ -5,7 +5,8 @@ target_include_directories(vncpasswd PUBLIC ${CMAKE_SOURCE_DIR}/common)
 target_link_libraries(vncpasswd core tx rfb)
 
 if(PWQUALITY_FOUND)
-  target_link_libraries(vncpasswd pwquality)
+  target_include_directories(vncpasswd SYSTEM PRIVATE ${PWQUALITY_INCLUDE_DIRS})
+  target_link_libraries(vncpasswd ${PWQUALITY_LIBRARIES})
 endif()
 
 install(TARGETS vncpasswd DESTINATION ${CMAKE_INSTALL_FULL_BINDIR})
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
index ae69dc09..ed259c22 100644
--- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt
@@ -1,5 +1,8 @@
 add_executable(vncsession vncsession.c)
-target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
+target_include_directories(vncsession SYSTEM PRIVATE ${PAM_INCLUDE_DIRS})
+target_include_directories(vncsession SYSTEM PRIVATE ${SELINUX_INCLUDE_DIRS})
+target_link_libraries(vncsession ${PAM_LIBRARIES})
+target_link_libraries(vncsession ${SELINUX_LIBRARIES})
 
 configure_file(vncserver@.service.in vncserver@.service @ONLY)
 configure_file(vncsession-start.in vncsession-start @ONLY)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 4dbf687e..2ce4fc81 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -34,17 +34,13 @@ allow vnc_session_t self:capability { chown dac_override dac_read_search fowner
 allow vnc_session_t self:process { getcap setexec setrlimit setsched };
 allow vnc_session_t self:fifo_file rw_fifo_file_perms;
 
-optional_policy(`
-        gen_require(`
-                type sysctl_fs_t;
-        ')
-        allow vnc_session_t sysctl_fs_t:dir search;
-        allow vnc_session_t sysctl_fs_t:file { getattr open read };
-')
-
 allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
 files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
 
+# Allow access to /proc/sys/fs/nr_open
+# Needed when the nofile limit is set to unlimited.
+kernel_read_fs_sysctls(vnc_session_t)
+
 # Allowed to create ~/.local
 optional_policy(`
 	gnome_filetrans_home_content(vnc_session_t)
diff --git a/unix/x0vncserver/CMakeLists.txt b/unix/x0vncserver/CMakeLists.txt
index 763f2de2..4ea09dd8 100644
--- a/unix/x0vncserver/CMakeLists.txt
+++ b/unix/x0vncserver/CMakeLists.txt
@@ -23,8 +23,9 @@ target_include_directories(x0vncserver PUBLIC ${CMAKE_SOURCE_DIR}/common)
 target_link_libraries(x0vncserver core tx rfb network rdr unixcommon)
 
 # systemd support (socket activation)
-if (LIBSYSTEMD_FOUND)
-  target_link_libraries(x0vncserver ${LIBSYSTEMD_LIBRARIES})
+if (SYSTEMD_FOUND)
+  target_include_directories(x0vncserver SYSTEM PRIVATE ${SYSTEMD_INCLUDE_DIRS})
+  target_link_libraries(x0vncserver ${SYSTEMD_LIBRARIES})
 endif()
 
 if(X11_XTest_LIB)
diff --git a/unix/x0vncserver/x0vncserver.cxx b/unix/x0vncserver/x0vncserver.cxx
index b42c38df..b8b631aa 100644
--- a/unix/x0vncserver/x0vncserver.cxx
+++ b/unix/x0vncserver/x0vncserver.cxx
@@ -36,8 +36,10 @@
 #include <core/LogWriter.h>
 #include <core/Timer.h>
 
+#include <rdr/FdInStream.h>
 #include <rdr/FdOutStream.h>
 
+#include <rfb/UnixPasswordValidator.h>
 #include <rfb/VNCServerST.h>
 
 #include <network/TcpSocket.h>
@@ -334,12 +336,14 @@ int main(int argc, char** argv)
     exit(1);
   }
 
+  const char *displayName = XDisplayName(displayname);
   if (!(dpy = XOpenDisplay(displayname))) {
     // FIXME: Why not vlog.error(...)?
     fprintf(stderr,"%s: Unable to open display \"%s\"\r\n",
-            programName, XDisplayName(displayname));
+            programName, displayName);
     exit(1);
   }
+  rfb::UnixPasswordValidator::setDisplayName(displayName);
 
   signal(SIGHUP, CleanupSignalHandler);
   signal(SIGINT, CleanupSignalHandler);
@@ -359,6 +363,8 @@ int main(int argc, char** argv)
 
     rfb::VNCServerST server(desktopName, &desktop);
 
+    FileTcpFilter fileTcpFilter(hostsFile);
+
     if (createSystemdListeners(&listeners) > 0) {
       // When systemd is in charge of listeners, do not listen to anything else
       vlog.info("Listening on systemd sockets");
@@ -387,7 +393,6 @@ int main(int argc, char** argv)
                   (int)rfbport);
       }
 
-      FileTcpFilter fileTcpFilter(hostsFile);
       if (strlen(hostsFile) != 0)
         for (network::SocketListener* listener : listeners)
           listener->setFilter(&fileTcpFilter);
@@ -420,15 +425,10 @@ int main(int argc, char** argv)
       server.getSockets(&sockets);
       int clients_connected = 0;
       for (i = sockets.begin(); i != sockets.end(); i++) {
-        if ((*i)->isShutdown()) {
-          server.removeSocket(*i);
-          delete (*i);
-        } else {
-          FD_SET((*i)->getFd(), &rfds);
-          if ((*i)->outStream().hasBufferedData())
-            FD_SET((*i)->getFd(), &wfds);
-          clients_connected++;
-        }
+        FD_SET((*i)->getFd(), &rfds);
+        if ((*i)->outStream().hasBufferedData())
+          FD_SET((*i)->getFd(), &wfds);
+        clients_connected++;
       }
 
       if (!clients_connected)
@@ -493,6 +493,29 @@ int main(int argc, char** argv)
           server.processSocketReadEvent(*i);
         if (FD_ISSET((*i)->getFd(), &wfds))
           server.processSocketWriteEvent(*i);
+
+        // Do a graceful close by waiting for the peer to close their
+        // end
+        if ((*i)->isShutdown()) {
+          bool done;
+
+          done = false;
+          while (true) {
+            try {
+              (*i)->inStream().skip((*i)->inStream().avail());
+              if (!(*i)->inStream().hasData(1))
+                break;
+            } catch (std::exception&) {
+              done = true;
+              break;
+            }
+          }
+
+          if (done) {
+            server.removeSocket(*i);
+            delete (*i);
+          }
+        }
       }
 
       if (desktop.isRunning() && sched.goodTimeToPoll()) {
diff --git a/unix/xserver/hw/vnc/RFBGlue.cc b/unix/xserver/hw/vnc/RFBGlue.cc
index b7616298..f217906a 100644
--- a/unix/xserver/hw/vnc/RFBGlue.cc
+++ b/unix/xserver/hw/vnc/RFBGlue.cc
@@ -32,6 +32,8 @@
 
 #include <network/TcpSocket.h>
 
+#include <rfb/UnixPasswordValidator.h>
+
 #include "RFBGlue.h"
 
 // Loggers used by C code must be created here
@@ -132,31 +134,9 @@ const char* vncGetParamDesc(const char *name)
   return param->getDescription();
 }
 
-int vncIsParamBool(const char *name)
-{
-  core::VoidParameter* param;
-  core::BoolParameter* bparam;
-
-  param = core::Configuration::getParam(name);
-  if (param == nullptr)
-    return false;
-
-  bparam = dynamic_cast<core::BoolParameter*>(param);
-  if (bparam == nullptr)
-    return false;
-
-  return true;
-}
-
 int vncGetParamCount(void)
 {
-  int count;
-
-  count = 0;
-  for (core::VoidParameter *param: *core::Configuration::global())
-    count++;
-
-  return count;
+  return core::Configuration::global()->size();
 }
 
 char *vncGetParamList(void)
@@ -256,3 +236,10 @@ int vncIsValidUTF8(const char* str, size_t bytes)
     return 0;
   }
 }
+
+void vncSetDisplayName(const char *displayNumStr)
+{
+  std::string displayName(":");
+  displayName += displayNumStr;
+  rfb::UnixPasswordValidator::setDisplayName(displayName);
+}
diff --git a/unix/xserver/hw/vnc/RFBGlue.h b/unix/xserver/hw/vnc/RFBGlue.h
index 926f49c6..86304ad5 100644
--- a/unix/xserver/hw/vnc/RFBGlue.h
+++ b/unix/xserver/hw/vnc/RFBGlue.h
@@ -38,7 +38,6 @@ void vncLogDebug(const char *name, const char *format, ...)
 int vncSetParam(const char *name, const char *value);
 char* vncGetParam(const char *name);
 const char* vncGetParamDesc(const char *name);
-int vncIsParamBool(const char *name);
 
 int vncGetParamCount(void);
 char *vncGetParamList(void);
@@ -56,6 +55,8 @@ char* vncUTF8ToLatin1(const char* src, size_t bytes);
 
 int vncIsValidUTF8(const char* str, size_t bytes);
 
+void vncSetDisplayName(const char *displayNumStr);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc
index d88ef874..1a7a06db 100644
--- a/unix/xserver/hw/vnc/XserverDesktop.cc
+++ b/unix/xserver/hw/vnc/XserverDesktop.cc
@@ -40,6 +40,7 @@
 #include <core/Configuration.h>
 #include <core/LogWriter.h>
 
+#include <rdr/FdInStream.h>
 #include <rdr/FdOutStream.h>
 
 #include <network/Socket.h>
@@ -363,6 +364,31 @@ bool XserverDesktop::handleSocketEvent(int fd,
   if (write)
     sockserv->processSocketWriteEvent(*i);
 
+  // Do a graceful close by waiting for the peer to close their end
+  if ((*i)->isShutdown()) {
+    bool done;
+
+    done = false;
+    while (true) {
+      try {
+        (*i)->inStream().skip((*i)->inStream().avail());
+        if (!(*i)->inStream().hasData(1))
+          break;
+      } catch (std::exception&) {
+        done = true;
+        break;
+      }
+    }
+
+    if (done) {
+      vlog.debug("Client gone, sock %d",fd);
+      vncRemoveNotifyFd(fd);
+      sockserv->removeSocket(*i);
+      vncClientGone(fd);
+      delete (*i);
+    }
+  }
+
   return true;
 }
 
@@ -380,16 +406,8 @@ void XserverDesktop::blockHandler(int* timeout)
     server->getSockets(&sockets);
     for (i = sockets.begin(); i != sockets.end(); i++) {
       int fd = (*i)->getFd();
-      if ((*i)->isShutdown()) {
-        vlog.debug("Client gone, sock %d",fd);
-        vncRemoveNotifyFd(fd);
-        server->removeSocket(*i);
-        vncClientGone(fd);
-        delete (*i);
-      } else {
-        /* Update existing NotifyFD to listen for write (or not) */
-        vncSetNotifyFd(fd, screenIndex, true, (*i)->outStream().hasBufferedData());
-      }
+      /* Update existing NotifyFD to listen for write (or not) */
+      vncSetNotifyFd(fd, screenIndex, true, (*i)->outStream().hasBufferedData());
     }
 
     // We are responsible for propagating mouse movement between clients
diff --git a/unix/xserver/hw/vnc/vncModule.c b/unix/xserver/hw/vnc/vncModule.c
index 5f0886a3..bff317b5 100644
--- a/unix/xserver/hw/vnc/vncModule.c
+++ b/unix/xserver/hw/vnc/vncModule.c
@@ -50,7 +50,7 @@ ExtensionModule vncExt =
 static XF86ModuleVersionInfo vncVersRec =
 {
     "vnc",
-    "TigerVNC project",
+    "TigerVNC",
     MODINFOSTRING1,
     MODINFOSTRING2,
     VENDOR_RELEASE,
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
index ddb24993..5cf673aa 100644
--- a/unix/xserver/hw/vnc/xvnc.c
+++ b/unix/xserver/hw/vnc/xvnc.c
@@ -110,7 +110,6 @@ static VncScreenInfo vncScreenInfo = {
 static Bool vncPixmapDepths[33];
 static Bool Render = TRUE;
 
-static Bool displaySpecified = FALSE;
 static char displayNumStr[16];
 
 static int vncVerbose = 0;
@@ -187,6 +186,9 @@ AbortDDX(enum ExitCode error)
 void
 OsVendorInit(void)
 {
+    /* At this point, display has been set, so we can use it to
+     * initialize UnixPasswordValidator */
+    vncSetDisplayName(display);
 }
 
 void
@@ -278,7 +280,7 @@ ddxProcessArgument(int argc, char *argv[], int i)
     }
 
     if (argv[i][0] == ':')
-        displaySpecified = TRUE;
+        return 0;
 
 #if XORG_OLDER_THAN(1, 21, 1)
 #define CHECK_FOR_REQUIRED_ARGUMENTS(num) \
@@ -386,7 +388,7 @@ ddxProcessArgument(int argc, char *argv[], int i)
         dup2(nullfd, 2);
         close(nullfd);
 
-        if (!displaySpecified) {
+        if (!explicit_display) {
             int port = vncGetSocketPort(vncInetdSock);
             int displayNum = port - 5900;
 
@@ -400,9 +402,9 @@ ddxProcessArgument(int argc, char *argv[], int i)
                     FatalError
                         ("Xvnc error: No free display number for -inetd\n");
             }
-
-            display = displayNumStr;
             sprintf(displayNumStr, "%d", displayNum);
+            display = displayNumStr;
+            explicit_display = TRUE;
         }
 
         return 1;
@@ -446,30 +448,11 @@ ddxProcessArgument(int argc, char *argv[], int i)
     }
 
     if (!strcmp(argv[i], "-showconfig") || !strcmp(argv[i], "-version")) {
-        /* Already shown at start */
+        vncPrintBanner();
         exit(0);
     }
 
-    /* We need to resolve an ambiguity for booleans */
-    if (argv[i][0] == '-' && i + 1 < argc && vncIsParamBool(&argv[i][1])) {
-        if ((strcasecmp(argv[i + 1], "0") == 0) ||
-            (strcasecmp(argv[i + 1], "1") == 0) ||
-            (strcasecmp(argv[i + 1], "true") == 0) ||
-            (strcasecmp(argv[i + 1], "false") == 0) ||
-            (strcasecmp(argv[i + 1], "yes") == 0) ||
-            (strcasecmp(argv[i + 1], "no") == 0)) {
-            vncSetParam(&argv[i][1], argv[i + 1]);
-            return 2;
-        }
-    }
-
-    int ret;
-
-    ret = vncHandleParamArg(argc, argv, i);
-    if (ret != 0)
-        return ret;
-
-    return 0;
+    return vncHandleParamArg(argc, argv, i);
 }
 
 static Bool
@@ -1171,8 +1154,11 @@ InitOutput(ScreenInfo * scrInfo, int argc, char **argv)
     int i;
     int NumFormats = 0;
 
-    if (serverGeneration == 1)
+    if (serverGeneration == 1) {
+        vncPrintBanner();
+
         LoadExtensionList(vncExtensions, ARRAY_SIZE(vncExtensions), TRUE);
+    }
 
 #if XORG_AT_LEAST(1, 20, 0)
     xorgGlxCreateVendor();
@@ -1266,7 +1252,5 @@ vncClientGone(int fd)
 int
 main(int argc, char *argv[], char *envp[])
 {
-    vncPrintBanner();
-
     return dix_main(argc, argv, envp);
 }