From patchwork Wed Jul 3 17:10:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emil Velikov X-Patchwork-Id: 11029973 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5874B1398 for ; Wed, 3 Jul 2019 17:09:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41073289B3 for ; Wed, 3 Jul 2019 17:09:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 35276289BA; Wed, 3 Jul 2019 17:09:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D6D9A289B3 for ; Wed, 3 Jul 2019 17:09:54 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 2A3BA6E176; Wed, 3 Jul 2019 17:09:52 +0000 (UTC) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) by gabe.freedesktop.org (Postfix) with ESMTPS id 90D7E6E154; Wed, 3 Jul 2019 17:09:50 +0000 (UTC) Received: by mail-wr1-x444.google.com with SMTP id u18so3699348wru.1; Wed, 03 Jul 2019 10:09:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2bsB9SvhfF7dUA0Vo/TmDM5qf+8jfXCRLhUWoe/kjIw=; b=TRXAmlq1D5GJFHwoyxu0RYv66drqJ4M/T73jyi/NiPla0u+9WR6ifi7QFxRjwBx9Af KDlPCfMaG5NxuyAo1ZRrDaah68nZkRiYqyrvHeDjVJLMp4+GFifa4mihGGLfEdBjMBV8 oQ7zvZgabzJLcKPC8asBpCqbAzoPX72HzMLqmLzT5TxgN/2GBH1ng65zX4fm7hmlkd5V JLEjXzgQ30g2x39uXSZ1AfH/mScWQevPkyrFYOY//uvE3OXGYvq67tLXshTzJknyuwiC DXSfEXfiJOqxWwlcjSiW3Tma2dEnlAtHBALqIdGoxMc9spXHIq8gCKifz6BF5DU76YyY gSlw== X-Gm-Message-State: APjAAAWUVpdgIWPq3MCpMv97bwo8x+9RO2ZNRFeXMyY8GE8T8LILDbT1 Q3uCa0s8gK/USboLDopB4FTzUp6O X-Google-Smtp-Source: APXvYqzNbgaTTbQMdI2WDpEP3vsHPlT/t6/Gg66kKTbPuiNnkQ/1jTHgjQghC4WbLCxNeJPs/8+99w== X-Received: by 2002:a5d:6743:: with SMTP id l3mr19217961wrw.241.1562173788944; Wed, 03 Jul 2019 10:09:48 -0700 (PDT) Received: from arch-x1c3.cbg.collabora.co.uk ([2a00:5f00:102:0:9665:9cff:feee:aa4d]) by smtp.gmail.com with ESMTPSA id y184sm2160092wmg.14.2019.07.03.10.09.47 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Wed, 03 Jul 2019 10:09:48 -0700 (PDT) From: Emil Velikov To: dri-devel@lists.freedesktop.org Date: Wed, 3 Jul 2019 18:10:01 +0100 Message-Id: <20190703171001.20474-1-emil.l.velikov@gmail.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190703133104.3211-1-emil.l.velikov@gmail.com> References: <20190703133104.3211-1-emil.l.velikov@gmail.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2bsB9SvhfF7dUA0Vo/TmDM5qf+8jfXCRLhUWoe/kjIw=; b=FOhrpe/YQmklGDVQ+5ykYSuGn+4z6S7AGRHwCrNQiETEMYTgMVBTL5TkQ16ePTqZ+s sE61OdY7KdG8bkF3LXx67B2U7CiewGPBMjiHZrVBls0ZiJ9vJP5+gEoqUDKofMdTOtLS asWsG0Z22rSipbtxV/6S6wFzwnvWsTVkCDY+38siGSw0Qe3x/K09LJBAI7uSIvMImOPv xl0Lu3sTUuI7U2C1ZgMcBH9H0dQAPZ7VzJHnpBxjNrc/H0OqUYtmpovueUgJrBccxsoK ypdvElNqfFXh3yYi7PM6bxvxkMdfrvbEtwvb2Jc7xoBlySLYuIjuyMv+p6tcAjqPKmMU 12gQ== Subject: [Intel-gfx] [PATCH] drm: allow render capable master with DRM_AUTH ioctls X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Vetter , intel-gfx@lists.freedesktop.org Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" X-Virus-Scanned: ClamAV using ClamSMTP From: Emil Velikov There are cases (in mesa and applications) where one would open the primary node without properly authenticating the client. Sometimes we don't check if the authentication succeeds, but there's also cases we simply forget to do it. The former was a case for Mesa where it did not not check the return value of drmGetMagic() [1]. That was fixed recently although, there's the question of older drivers or other apps that exbibit this behaviour. While omitting the call results in issues as seen in [2] and [3]. In the libva case, libva itself doesn't authenticate the DRM client and the vaGetDisplayDRM documentation doesn't mention if the app should either. As of today, the official vainfo utility doesn't authenticate. To workaround issues like these, some users resort to running their apps under sudo. Which admittedly isn't always a good idea. Since any DRIVER_RENDER driver has sufficient isolation between clients, we can use that, for unauthenticated [primary node] ioctls that require DRM_AUTH. But only if the respective ioctl is tagged as DRM_RENDER_ALLOW. v2: - Rework/simplify if check (Daniel V) - Add examples to commit messages, elaborate. (Daniel V) v3: - Use single unlikely (Daniel V) v4: - Reapply patch, check for amdgpu/radeon inline. [1] https://gitlab.freedesktop.org/mesa/mesa/blob/2bc1f5c2e70fe3b4d41f060af9859bc2a94c5b62/src/egl/drivers/dri2/platform_wayland.c#L1136 [2] https://lists.freedesktop.org/archives/libva/2016-July/004185.html [3] https://gitlab.freedesktop.org/mesa/kmscube/issues/1 Testcase: igt/core_unauth_vs_render Cc: intel-gfx@lists.freedesktop.org Cc: Daniel Vetter Signed-off-by: Emil Velikov Reviewed-by: Daniel Vetter --- This version effectively supersedes the DRIVER_FORCE_AUTH flag introduced here. https://lists.freedesktop.org/archives/dri-devel/2019-July/225165.html https://lists.freedesktop.org/archives/dri-devel/2019-July/225166.html --- drivers/gpu/drm/drm_ioctl.c | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 09f7f8e33fa3..ad7c67b89bdd 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -517,6 +517,29 @@ int drm_version(struct drm_device *dev, void *data, return err; } +static inline bool +drm_render_driver_and_ioctl(const struct drm_device *dev, u32 flags) +{ + return drm_core_check_feature(dev, DRIVER_RENDER) && + (flags & DRM_RENDER_ALLOW); +} + +/* + * Yet the AMD developers have voiced concerns that by allowing ioctls + * such as DRM_AUTH | DRM_RENDER_ALLOW w/o enforcing DRM_AUTH developers + * working on the closed source user-space driver might remove render + * node support. + * + * Since we do _not_ want that to happen, add workaround for those two + * drivers. + */ +static inline bool +is_amdgpu_or_radeon(const struct drm_device *dev) +{ + return ((dev->driver->name, "amdgpu") == 0 || + (dev->driver->name, "radeon") == 0); +} + /** * drm_ioctl_permit - Check ioctl permissions against caller * @@ -531,6 +554,8 @@ int drm_version(struct drm_device *dev, void *data, */ int drm_ioctl_permit(u32 flags, struct drm_file *file_priv) { + const struct drm_device *dev = file_priv->minor->dev; + /* ROOT_ONLY is only for CAP_SYS_ADMIN */ if (unlikely((flags & DRM_ROOT_ONLY) && !capable(CAP_SYS_ADMIN))) return -EACCES; @@ -538,7 +563,14 @@ int drm_ioctl_permit(u32 flags, struct drm_file *file_priv) /* AUTH is only for authenticated or render client */ if (unlikely((flags & DRM_AUTH) && !drm_is_render_client(file_priv) && !file_priv->authenticated)) - return -EACCES; + /* + * Although we allow: + * - render drivers with DRM_RENDER_ALLOW ioctls, when + * - we are not using amdgpu or radeon. + */ + if (!drm_render_driver_and_ioctl(dev, flags) || + is_amdgpu_or_radeon(dev)) + return -EACCES; /* MASTER is only for master or control clients */ if (unlikely((flags & DRM_MASTER) &&