Re: [PATCH 13/13] drm: allow render capable master with DRM_AUTH ioctls

From: "Christian König" <ckoenig.leichtzumerken@gmail.com>
To: Emil Velikov <emil.l.velikov@gmail.com>, dri-devel@lists.freedesktop.org
Cc: intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 13/13] drm: allow render capable master with DRM_AUTH ioctls
Date: Mon, 27 May 2019 13:56:37 +0200	[thread overview]
Message-ID: <fe26eded-51b0-9b8f-47c6-22cff6383c60@gmail.com> (raw)
In-Reply-To: <20190527081741.14235-13-emil.l.velikov@gmail.com>

Am 27.05.19 um 10:17 schrieb Emil Velikov:
> From: Emil Velikov <emil.velikov@collabora.com>
>
> There are cases (in mesa and applications) where one would open the
> primary node without properly authenticating the client.
>
> Sometimes we don't check if the authentication succeeds, but there's
> also cases we simply forget to do it.
>
> The former was a case for Mesa where it did not not check the return
> value of drmGetMagic() [1]. That was fixed recently although, there's
> the question of older drivers or other apps that exbibit this behaviour.
>
> While omitting the call results in issues as seen in [2] and [3].
>
> In the libva case, libva itself doesn't authenticate the DRM client and
> the vaGetDisplayDRM documentation doesn't mention if the app should
> either.
>
> As of today, the official vainfo utility doesn't authenticate.
>
> To workaround issues like these, some users resort to running their apps
> under sudo. Which admittedly isn't always a good idea.
>
> Since any DRIVER_RENDER driver has sufficient isolation between clients,
> we can use that, for unauthenticated [primary node] ioctls that require
> DRM_AUTH. But only if the respective ioctl is tagged as DRM_RENDER_ALLOW.
>
> v2:
> - Rework/simplify if check (Daniel V)
> - Add examples to commit messages, elaborate. (Daniel V)
>
> v3:
> - Use single unlikely (Daniel V)
>
> v4:
> - Patch was reverted because it broke AMDGPU, apply again. The AMDGPU
> issue is fixed with earlier patch.

As far as I can see this only affects the following two IOCTLs after 
removing DRM_AUTH from the DRM_RENDER_ALLOW IOCTLs:
> DRM_IOCTL_DEF(DRM_IOCTL_PRIME_HANDLE_TO_FD, 
> drm_prime_handle_to_fd_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW),
>         DRM_IOCTL_DEF(DRM_IOCTL_PRIME_FD_TO_HANDLE, 
> drm_prime_fd_to_handle_ioctl, DRM_AUTH|DRM_UNLOCKED|DRM_RENDER_ALLOW)

So I think it would be simpler to just remove DRM_AUTH from those two 
instead of allowing it for everybody.

Regards,
Christian.

>
> [1] https://gitlab.freedesktop.org/mesa/mesa/blob/2bc1f5c2e70fe3b4d41f060af9859bc2a94c5b62/src/egl/drivers/dri2/platform_wayland.c#L1136
> [2] https://lists.freedesktop.org/archives/libva/2016-July/004185.html
> [3] https://gitlab.freedesktop.org/mesa/kmscube/issues/1
> Testcase: igt/core_unauth_vs_render
> Cc: intel-gfx@lists.freedesktop.org
> Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> Link: https://patchwork.freedesktop.org/patch/msgid/20190114085408.15933-2-emil.l.velikov@gmail.com
> ---
>   drivers/gpu/drm/drm_ioctl.c | 20 ++++++++++++++++----
>   1 file changed, 16 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
> index 9841c0076f02..b64b022a2b29 100644
> --- a/drivers/gpu/drm/drm_ioctl.c
> +++ b/drivers/gpu/drm/drm_ioctl.c
> @@ -511,6 +511,13 @@ int drm_version(struct drm_device *dev, void *data,
>   	return err;
>   }
>   
> +static inline bool
> +drm_render_driver_and_ioctl(const struct drm_device *dev, u32 flags)
> +{
> +	return drm_core_check_feature(dev, DRIVER_RENDER) &&
> +		(flags & DRM_RENDER_ALLOW);
> +}
> +
>   /**
>    * drm_ioctl_permit - Check ioctl permissions against caller
>    *
> @@ -525,14 +532,19 @@ int drm_version(struct drm_device *dev, void *data,
>    */
>   int drm_ioctl_permit(u32 flags, struct drm_file *file_priv)
>   {
> +	const struct drm_device *dev = file_priv->minor->dev;
> +
>   	/* ROOT_ONLY is only for CAP_SYS_ADMIN */
>   	if (unlikely((flags & DRM_ROOT_ONLY) && !capable(CAP_SYS_ADMIN)))
>   		return -EACCES;
>   
> -	/* AUTH is only for authenticated or render client */
> -	if (unlikely((flags & DRM_AUTH) && !drm_is_render_client(file_priv) &&
> -		     !file_priv->authenticated))
> -		return -EACCES;
> +	/* AUTH is only for master ... */
> +	if (unlikely((flags & DRM_AUTH) && drm_is_primary_client(file_priv))) {
> +		/* authenticated ones, or render capable on DRM_RENDER_ALLOW. */
> +		if (!file_priv->authenticated &&
> +		    !drm_render_driver_and_ioctl(dev, flags))
> +			return -EACCES;
> +	}
>   
>   	/* MASTER is only for master or control clients */
>   	if (unlikely((flags & DRM_MASTER) &&

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx