diff mbox

drm/i915: allow root to submit secure buffers even if !master

Message ID 1374079530-3919-1-git-send-email-jbarnes@virtuousgeek.org (mailing list archive)
State New, archived
Headers show

Commit Message

Jesse Barnes July 17, 2013, 4:45 p.m. UTC 
This should allow userland tools running under X to submit secure
batches for various things.  This gives master DRM clients slightly more
permissions, but doesn't give regular processes any more, since a root
process can already map the registers directly and poke at hw.

Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
---
 drivers/gpu/drm/i915/i915_gem_execbuffer.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Chris Wilson July 17, 2013, 8:20 p.m. UTC | #1 
On Wed, Jul 17, 2013 at 09:45:30AM -0700, Jesse Barnes wrote:
> This should allow userland tools running under X to submit secure
> batches for various things.  This gives master DRM clients slightly more
> permissions, but doesn't give regular processes any more, since a root
> process can already map the registers directly and poke at hw.
> 
> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
> ---
>  drivers/gpu/drm/i915/i915_gem_execbuffer.c |    8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> index 1b58694..377aa1f 100644
> --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> @@ -858,10 +858,10 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
>  
>  	flags = 0;
>  	if (args->flags & I915_EXEC_SECURE) {
> -		if (!file->is_master || !capable(CAP_SYS_ADMIN))
> +		if (!f(ile->is_master || capable(CAP_SYS_ADMIN)))
> 		    return -EPERM;

Would have made for a much smaller patch.
-Chris
Jesse Barnes July 17, 2013, 8:26 p.m. UTC | #2 
On Wed, 17 Jul 2013 21:20:07 +0100
Chris Wilson <chris@chris-wilson.co.uk> wrote:

> On Wed, Jul 17, 2013 at 09:45:30AM -0700, Jesse Barnes wrote:
> > This should allow userland tools running under X to submit secure
> > batches for various things.  This gives master DRM clients slightly more
> > permissions, but doesn't give regular processes any more, since a root
> > process can already map the registers directly and poke at hw.
> > 
> > Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
> > ---
> >  drivers/gpu/drm/i915/i915_gem_execbuffer.c |    8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> > index 1b58694..377aa1f 100644
> > --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> > +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
> > @@ -858,10 +858,10 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
> >  
> >  	flags = 0;
> >  	if (args->flags & I915_EXEC_SECURE) {
> > -		if (!file->is_master || !capable(CAP_SYS_ADMIN))
> > +		if (!f(ile->is_master || capable(CAP_SYS_ADMIN)))
> > 		    return -EPERM;
> 
> Would have made for a much smaller patch.

And maybe without the typo? :)
diff mbox

Patch

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 1b58694..377aa1f 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -858,10 +858,10 @@  i915_gem_do_execbuffer(struct drm_device *dev, void *data,
 
 	flags = 0;
 	if (args->flags & I915_EXEC_SECURE) {
-		if (!file->is_master || !capable(CAP_SYS_ADMIN))
-		    return -EPERM;
-
-		flags |= I915_DISPATCH_SECURE;
+		if (file->is_master || capable(CAP_SYS_ADMIN))
+			flags |= I915_DISPATCH_SECURE;
+		else
+			return -EPERM;
 	}
 	if (args->flags & I915_EXEC_IS_PINNED)
 		flags |= I915_DISPATCH_PINNED;