On Saturday 18 June 2005 11:20, Jon Smirl wrote: > Access to the registers is something that should require root priv > right? Once I can get to the registers I can program them to contol > the DMA hardware and then muck with the kernel's memory and escalate > my priveldge level. EGL avoids this possible hole by not using the > registers from user space.
Not all register access should require root. In fact you want to do as much as possible directly from userspace because shuffling large amounts of data into the kernel is painful. So what you need to restrict are those registers which can trigger reads and writes from arbitrary system memory bypassing the MMU, which basically means anything that can trigger bus-master writes or DMA. The point to notice here is that these registers generally segmented apart in the card's memory map. If all those trigger regs are within a single 4k range, then that's the only range you need to hide from userspace. EGL really has nothing to do with this, it's entirely a driver issue. > My solution would be to leave the permament maps visible and then add > a root capability check when someone attempts to drmMap the registers. > It would more complex to try and hide the map from GetMap. That's the whole point of the authmagic mechanism. The client gets a magic number from the kernel via drmGetMagic, and passes that up to the server in the XF86DRIAuthConnection call. The server checks that the client is properly authenticated, and tells the DRM to allow that magic number full authenticated (but not root-level) DRM access. The drm API really has three parts: base, authenticated, and master. drmMap is part of the authenticated API, so there's no need to add any additional hiding. Any sensitive register ranges would just be unavailable through drmMap and accessible only from the kernel side, and the safe ranges would only be available after a GetMagic/AuthConnection cycle. > I haven't gotten to where I need to AddMap sarea. Can we prebuild a > permanent map for it too? You could; I'm not sure you want to. In principle it should get charged to the DRM master process. But it's like two pages, not a huge deal either way. > Right now I'm blocked on the AuthMagic call needing root. Of the master-level API, I think only drmAddMap really needs to be restricted to root (to the extent it should exist at all). The rest can be made available to only the first DRM client to start (the server, presumably). I'm not entirely comfortable with that, but I can't completely articulate why yet... - ajax
pgpuTXxvkbd7N.pgp
Description: PGP signature