Re: Removing the root priv requirement from DRM

Sat, 18 Jun 2005 12:23:41 -0700 

On 6/18/05, Adam Jackson <[EMAIL PROTECTED]> wrote:
> On Saturday 18 June 2005 11:20, Jon Smirl wrote:
> > Access to the registers is something that should require root priv
> > right? Once I can get to the registers I can program them to contol
> > the DMA hardware and then muck with the kernel's memory and escalate
> > my priveldge level. EGL avoids this possible hole by not using the
> > registers from user space.
> 
> Not all register access should require root.  In fact you want to do as much
> as possible directly from userspace because shuffling large amounts of data
> into the kernel is painful.  So what you need to restrict are those registers
> which can trigger reads and writes from arbitrary system memory bypassing the
> MMU, which basically means anything that can trigger bus-master writes or
> DMA.
> 
> The point to notice here is that these registers generally segmented apart in
> the card's memory map.  If all those trigger regs are within a single 4k
> range, then that's the only range you need to hide from userspace.

Then this is a card by card problem. If user space needs to get to the
registers, and we can't split the safe registers from the unsafe
(security issues) ones, then the user space drivers also needs to run
as root.

> EGL really has nothing to do with this, it's entirely a driver issue.

I meant my radeon EGL driver. I am modifying it to run without root priv.

> > My solution would be to leave the permament maps visible and then add
> > a root capability check when someone attempts to drmMap the registers.
> > It would more complex to try and hide the map from GetMap.
> 
> That's the whole point of the authmagic mechanism.  The client gets a magic
> number from the kernel via drmGetMagic, and passes that up to the server in
> the XF86DRIAuthConnection call.  The server checks that the client is
> properly authenticated, and tells the DRM to allow that magic number full
> authenticated (but not root-level) DRM access.

The auth mechanism has an implicit root capability check in it. I want
to remove the need for the server to be root to authorize other users
so I need to remove that check. I also want to assign ownership of the
dri/cardX device to the logged in user.

If this check is removed then we have to make sure all of the driver
IOCTLs are safe. Without this check I can just write a normal app that
opens DRM and authenticates itself since the first opener of the DRI
device becomes master.

This is different than what you are talking about, I don't think you
caught the part about removing the root check on the magic
transaction.

-- 
Jon Smirl
[EMAIL PROTECTED]


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
--
_______________________________________________
Dri-devel mailing list
Dri-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dri-devel

Reply via email to