On Saturday 18 June 2005 15:22, Jon Smirl wrote: > On 6/18/05, Adam Jackson <[EMAIL PROTECTED]> wrote: > > The point to notice here is that these registers generally segmented > > apart in the card's memory map. If all those trigger regs are within a > > single 4k range, then that's the only range you need to hide from > > userspace. > > Then this is a card by card problem. If user space needs to get to the > registers, and we can't split the safe registers from the unsafe > (security issues) ones, then the user space drivers also needs to run > as root.
You sound really confused here. Obviously determining which sets of registers can be mapped through the drm is a card-by-card problem. Different cards have different register maps, by definition. But the DRI drivers work as a normal user _right_ _now_, and (modulo mach64 and possibly r300) they seem to be secure. The issue is that drmAddMap, the function that sets up these maps, is currently run from the server during DDX bringup. These maps can just as easily be created during DRM init - and as a design issue, probably _should_ be created there. And if we do that, nothing else in the server-side libdrm API needs to be run as root (that I can see). The client-side API doesn't need root anyway. But please don't add any calls into the server-side API to the loadable driver. I know miniglx did it, but that doesn't mean it's not a bad idea. The server-side API belongs _exclusively_ in the server. > > That's the whole point of the authmagic mechanism. The client gets a > > magic number from the kernel via drmGetMagic, and passes that up to the > > server in the XF86DRIAuthConnection call. The server checks that the > > client is properly authenticated, and tells the DRM to allow that magic > > number full authenticated (but not root-level) DRM access. > > The auth mechanism has an implicit root capability check in it. I want > to remove the need for the server to be root to authorize other users > so I need to remove that check. I also want to assign ownership of the > dri/cardX device to the logged in user. And I'm saying that removing that check looks to be safe to do as long as you're okay with racing to be the first DRI server. > If this check is removed then we have to make sure all of the driver > IOCTLs are safe. Without this check I can just write a normal app that > opens DRM and authenticates itself since the first opener of the DRI > device becomes master. > > This is different than what you are talking about, I don't think you > caught the part about removing the root check on the magic > transaction. No, I got it. My point was that, excluding drmAddMap, the libdrm API that is currently root-only can (AFAICT) be safely run as a user (ie, have the root check removed) without reducing overall system security, as long as you restrict it to the DRI server that currently owns the card. Or, more strongly, to the first DRI server that registers itself, since we currently don't have any logic for supporting multiple DRI servers. - ajax
pgpKZMy0ai1W4.pgp
Description: PGP signature
