Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Thu Oct 24, 2019 at 10:50 AM Drew DeVault wrote: > So, I'm not sure what the action items are here. It seems like we might > have uncovered a potentially icky race condition in Linux, but that this > protocol is not really affected. Bump. Happy halloween! ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
So, I'm not sure what the action items are here. It seems like we might have uncovered a potentially icky race condition in Linux, but that this protocol is not really affected. ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Mon, Oct 21, 2019 at 10:48 AM Pekka Paalanen wrote: > > On Fri, 18 Oct 2019 17:47:49 +0200 > Daniel Vetter wrote: > > > On Fri, Oct 18, 2019 at 4:34 PM Pekka Paalanen wrote: > > > > > > On Fri, 18 Oct 2019 16:19:33 +0200 > > > Daniel Vetter wrote: > > > > > > > On Fri, Oct 18, 2019 at 3:43 PM Pekka Paalanen > > > > wrote: > > > > > > > > > > On Fri, 18 Oct 2019 07:54:50 -0400 > > > > > "Drew DeVault" wrote: > > > > > > > > > > > On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > > > > > > > One thing I did not know the last time was that apparently > > > > > > > systemd-logind may not like to give out non-master DRM fds. That > > > > > > > might > > > > > > > need fixing in logind implementations. I hope someone would step > > > > > > > up to > > > > > > > look into that. > > > > > > > > > > > > > > This protocol aims to deliver a harmless "read-only" DRM device > > > > > > > file > > > > > > > description to a client, so that the client can enumerate all DRM > > > > > > > resources, fetch EDID and other properties to be able to decide > > > > > > > which > > > > > > > connector it would want to lease. The client should not be able to > > > > > > > change any KMS state through this fd, and it should not be able > > > > > > > to e.g. > > > > > > > spy on display contents. The assumption is that a non-master DRM > > > > > > > fd > > > > > > > from a fresh open() would be fine for this, but is it? > > > > > > > > > > > > What I do for wlroots is call drmGetDeviceNameFromFd2, which > > > > > > returns the > > > > > > path to the device file, and then I open() it and use > > > > > > drmIsMaster/drmDropMaster to make sure it's not a master fd. This > > > > > > seems > > > > > > to work correctly in practice. > > > > > > > > > > That is nice. > > > > > > > > > > Personally I'm specifically worried about a setup where the user has > > > > > no > > > > > access permissions to open the DRM device node directly, as is (or > > > > > should be) the case with input devices. > > > > > > > > > > However, since DRM has the master concept which input devices do not, > > > > > maybe there is no reason to prevent a normal user from opening a DRM > > > > > device directly. That is, if our assumption that a non-master DRM fd > > > > > is > > > > > harmless holds. > > > > > > > > > > (Wayland display servers usually run as a normal user, while logind > > > > > or another service runs with elevated privileges and opens input and > > > > > DRM devices on behalf of the display server.) > > > > > > > > So the rules are (if I'm not making a mistake) > > > > - If you're not CAP_SYS_ADMIN you can't get/drop_master. > > > > > > Hi, > > > > > > not able to drop, yikes. So if someone pokes the Wayland DRM leasing > > > interface while the display server is VT switched away (does not have > > > DRM master), and maybe no-one else has DRM master either (you're > > > hacking in VT text mode), then a new DRM fd would be master with no way > > > out? > > > > > > So Wayland display servers should make sure they have master themselves > > > before sending a supposedly non-master DRM fd to anyone else. I wonder > > > if the Wayland protocol extension needs to consider that the compositor > > > might not be able to send any fd soon. Being able to defer sending the > > > fd should probably be mentioned in the protocol spec, so that clients > > > do not expect a simple roundtrip to be enough to ensure the fd has > > > arrived. > > > > > > > - This is a bit awkward, since non-root can become a master, when > > > > there's no other master right at this point. So if you want to be able > > > > to do this, we should probably clarify this part of the uapi somehow > > > > (either de-priv drop_master or make sure non-root can't become master, > > > > but the latter probably will break something somewhere). Plus igts to > > > > lock down this behaviour. Note that if logind does a vt switch there's > > > > a race window where no one is master and you might be able to squeeze > > > > in. So perhaps we do want to stop this behaviour and require > > > > CAP_SYS_ADMIN to become master, even accidentally. > > > > > > That would close the loophole that Ville mentioned, too, otherwise > > > distributions should aim to not give permissions to open the DRM device > > > node. > > > > I'm kinda wondering whether we have to do this as a security fix, with > > maybe a module option to get the old behaviour back for those who > > need/want that. But I don't even know whom/where to ping for logind > > folks ... > > I would guess https://lists.freedesktop.org/mailman/listinfo/systemd-devel > > It's fairly low traffic nowadays. Hm I thought the moved all over to github. Adding to cc, in case that still gets somewhere. Super short summary: While vt-switching there's a race window where anyone who can open the primary drm fd can become drm master, even if they're non-root. And the only way to fix up that mess is with close() (since the dropmaster
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, 18 Oct 2019 17:47:49 +0200 Daniel Vetter wrote: > On Fri, Oct 18, 2019 at 4:34 PM Pekka Paalanen wrote: > > > > On Fri, 18 Oct 2019 16:19:33 +0200 > > Daniel Vetter wrote: > > > > > On Fri, Oct 18, 2019 at 3:43 PM Pekka Paalanen > > > wrote: > > > > > > > > On Fri, 18 Oct 2019 07:54:50 -0400 > > > > "Drew DeVault" wrote: > > > > > > > > > On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > > > > > > One thing I did not know the last time was that apparently > > > > > > systemd-logind may not like to give out non-master DRM fds. That > > > > > > might > > > > > > need fixing in logind implementations. I hope someone would step up > > > > > > to > > > > > > look into that. > > > > > > > > > > > > This protocol aims to deliver a harmless "read-only" DRM device file > > > > > > description to a client, so that the client can enumerate all DRM > > > > > > resources, fetch EDID and other properties to be able to decide > > > > > > which > > > > > > connector it would want to lease. The client should not be able to > > > > > > change any KMS state through this fd, and it should not be able to > > > > > > e.g. > > > > > > spy on display contents. The assumption is that a non-master DRM fd > > > > > > from a fresh open() would be fine for this, but is it? > > > > > > > > > > What I do for wlroots is call drmGetDeviceNameFromFd2, which returns > > > > > the > > > > > path to the device file, and then I open() it and use > > > > > drmIsMaster/drmDropMaster to make sure it's not a master fd. This > > > > > seems > > > > > to work correctly in practice. > > > > > > > > That is nice. > > > > > > > > Personally I'm specifically worried about a setup where the user has no > > > > access permissions to open the DRM device node directly, as is (or > > > > should be) the case with input devices. > > > > > > > > However, since DRM has the master concept which input devices do not, > > > > maybe there is no reason to prevent a normal user from opening a DRM > > > > device directly. That is, if our assumption that a non-master DRM fd is > > > > harmless holds. > > > > > > > > (Wayland display servers usually run as a normal user, while logind > > > > or another service runs with elevated privileges and opens input and > > > > DRM devices on behalf of the display server.) > > > > > > So the rules are (if I'm not making a mistake) > > > - If you're not CAP_SYS_ADMIN you can't get/drop_master. > > > > Hi, > > > > not able to drop, yikes. So if someone pokes the Wayland DRM leasing > > interface while the display server is VT switched away (does not have > > DRM master), and maybe no-one else has DRM master either (you're > > hacking in VT text mode), then a new DRM fd would be master with no way > > out? > > > > So Wayland display servers should make sure they have master themselves > > before sending a supposedly non-master DRM fd to anyone else. I wonder > > if the Wayland protocol extension needs to consider that the compositor > > might not be able to send any fd soon. Being able to defer sending the > > fd should probably be mentioned in the protocol spec, so that clients > > do not expect a simple roundtrip to be enough to ensure the fd has > > arrived. > > > > > - This is a bit awkward, since non-root can become a master, when > > > there's no other master right at this point. So if you want to be able > > > to do this, we should probably clarify this part of the uapi somehow > > > (either de-priv drop_master or make sure non-root can't become master, > > > but the latter probably will break something somewhere). Plus igts to > > > lock down this behaviour. Note that if logind does a vt switch there's > > > a race window where no one is master and you might be able to squeeze > > > in. So perhaps we do want to stop this behaviour and require > > > CAP_SYS_ADMIN to become master, even accidentally. > > > > That would close the loophole that Ville mentioned, too, otherwise > > distributions should aim to not give permissions to open the DRM device > > node. > > I'm kinda wondering whether we have to do this as a security fix, with > maybe a module option to get the old behaviour back for those who > need/want that. But I don't even know whom/where to ping for logind > folks ... I would guess https://lists.freedesktop.org/mailman/listinfo/systemd-devel It's fairly low traffic nowadays. > > > - I thought you can always re-open your own fd through proc? Which > > > should be good enough for this use-case here. > > > > We can? And that creates a new file description the same way as open() > > in the original device node? > > I dreamed, it's just a normal symlink, nothing fancy. D'oh. So we have two options: ensure logind is happy to deliver also non-master DRM fds, or prohibit an open() on a DRM device node from becoming master without CAP_SYS_ADMIN or something, right? Drew does have a point though: if a non-CAP_SYS_ADMIN process gains DRM master, it has no way to drop
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, Oct 18, 2019 at 4:34 PM Pekka Paalanen wrote: > > On Fri, 18 Oct 2019 16:19:33 +0200 > Daniel Vetter wrote: > > > On Fri, Oct 18, 2019 at 3:43 PM Pekka Paalanen wrote: > > > > > > On Fri, 18 Oct 2019 07:54:50 -0400 > > > "Drew DeVault" wrote: > > > > > > > On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > > > > > One thing I did not know the last time was that apparently > > > > > systemd-logind may not like to give out non-master DRM fds. That might > > > > > need fixing in logind implementations. I hope someone would step up to > > > > > look into that. > > > > > > > > > > This protocol aims to deliver a harmless "read-only" DRM device file > > > > > description to a client, so that the client can enumerate all DRM > > > > > resources, fetch EDID and other properties to be able to decide which > > > > > connector it would want to lease. The client should not be able to > > > > > change any KMS state through this fd, and it should not be able to > > > > > e.g. > > > > > spy on display contents. The assumption is that a non-master DRM fd > > > > > from a fresh open() would be fine for this, but is it? > > > > > > > > What I do for wlroots is call drmGetDeviceNameFromFd2, which returns the > > > > path to the device file, and then I open() it and use > > > > drmIsMaster/drmDropMaster to make sure it's not a master fd. This seems > > > > to work correctly in practice. > > > > > > That is nice. > > > > > > Personally I'm specifically worried about a setup where the user has no > > > access permissions to open the DRM device node directly, as is (or > > > should be) the case with input devices. > > > > > > However, since DRM has the master concept which input devices do not, > > > maybe there is no reason to prevent a normal user from opening a DRM > > > device directly. That is, if our assumption that a non-master DRM fd is > > > harmless holds. > > > > > > (Wayland display servers usually run as a normal user, while logind > > > or another service runs with elevated privileges and opens input and > > > DRM devices on behalf of the display server.) > > > > So the rules are (if I'm not making a mistake) > > - If you're not CAP_SYS_ADMIN you can't get/drop_master. > > Hi, > > not able to drop, yikes. So if someone pokes the Wayland DRM leasing > interface while the display server is VT switched away (does not have > DRM master), and maybe no-one else has DRM master either (you're > hacking in VT text mode), then a new DRM fd would be master with no way > out? > > So Wayland display servers should make sure they have master themselves > before sending a supposedly non-master DRM fd to anyone else. I wonder > if the Wayland protocol extension needs to consider that the compositor > might not be able to send any fd soon. Being able to defer sending the > fd should probably be mentioned in the protocol spec, so that clients > do not expect a simple roundtrip to be enough to ensure the fd has > arrived. > > > - This is a bit awkward, since non-root can become a master, when > > there's no other master right at this point. So if you want to be able > > to do this, we should probably clarify this part of the uapi somehow > > (either de-priv drop_master or make sure non-root can't become master, > > but the latter probably will break something somewhere). Plus igts to > > lock down this behaviour. Note that if logind does a vt switch there's > > a race window where no one is master and you might be able to squeeze > > in. So perhaps we do want to stop this behaviour and require > > CAP_SYS_ADMIN to become master, even accidentally. > > That would close the loophole that Ville mentioned, too, otherwise > distributions should aim to not give permissions to open the DRM device > node. I'm kinda wondering whether we have to do this as a security fix, with maybe a module option to get the old behaviour back for those who need/want that. But I don't even know whom/where to ping for logind folks ... > > - I thought you can always re-open your own fd through proc? Which > > should be good enough for this use-case here. > > We can? And that creates a new file description the same way as open() > in the original device node? I dreamed, it's just a normal symlink, nothing fancy. > Does that avoid becoming master in the above VT-switched-away scenario? Would be a reopen like open(3), so same problem until we fix that. -Daniel > > - Non-master primary node should indeed give you all the GET* ioctls > > for kms, and nothing else useful or at least dangerous (you might be > > able to render with that thing). Just make sure you dont authenticate > > that new fd. Again maybe we should clarify our docs a bit to make this > > use case official. > > Awesome, thanks, > pq -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, 18 Oct 2019 10:43:16 -0400 "Drew DeVault" wrote: > Regarding hotplugging, the Wayland compositor is probably keeping track > of hotplugs itself and withdrawing/offering connectors as appropriate. > Also, when the lease is issued, the compositor withdraws that connector. > For the client, upon hotplug I imagine the DRM asks start to fail, and > it handles that accordingly (presumably it'll close the lease, if the > compositor hasn't already, and wait for it to come back, or just exit). DRM KMS operations do not fail merely because a connector becomes disconnected. You can even force on a connector that is initially disconnected. If you mean on revoking the lease or losing DRM master, yes, then I'd expect KMS ioctls start to fail. But is disconnection reason enough to revoke the lease? I guess we shall see. > When a hotplug of a leased connector happens on the compositor side, it > can notice this and exercise its descretion in the implementation. I > think the current text of the protocol supports this view. Ok, so the expectation is that a compositor does not offer disconnected connectors, and withdraws offered but then disconnected connectors, and that it sends offers for connectors that become connected while leasable. I suppose that is reasonable, I still think a sentence suggesting towards such behaviour would be in place. Btw. there is more to hotplug events than just connected/disconnected: link status changes, and HDCP status changes. I suspect more is coming, too. At some point we might need to add a hotplug event in the protocol, but I think that is easy to do even after stabilization. Thanks, pq pgpvbLYNimu7D.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, 2019-10-18 at 10:43 -0400, Drew DeVault wrote: > Regarding hotplugging, the Wayland compositor is probably keeping track > of hotplugs itself and withdrawing/offering connectors as appropriate. > > Also, when the lease is issued, the compositor withdraws that connector. > For the client, upon hotplug I imagine the DRM asks start to fail, and > it handles that accordingly (presumably it'll close the lease, if the > compositor hasn't already, and wait for it to come back, or just exit). Right. Whether it waits or quits should be the decision of the client, and I'd like there to be a good way to "wait for it to come back" (or to appear, initially). If the compositor sends a new zwp_drm_lease_manager_v1.connector event after the HMD connector becomes leasable (again), that should be good enough. [...] > > So Wayland display servers should make sure they have master themselves > > before sending a supposedly non-master DRM fd to anyone else. I wonder > > if the Wayland protocol extension needs to consider that the compositor > > might not be able to send any fd soon. Being able to defer sending the > > fd should probably be mentioned in the protocol spec, so that clients > > do not expect a simple roundtrip to be enough to ensure the fd has > > arrived. > > When you VT switch away, the Wayland compositor is no longer necessarily > able to lease those displays anyway - it's not the master anymore. So it > should withdraw them, and in case of a race it'll reject the lease > request. Right. On VT switch away, revoking all leases and disabling those connectors is the only sensible thing the compositor can do. However, that is completely independent from the sending the drm_fd event. The spec currently says: "The compositor will send this event when the zwp_drm_lease_manager_v1 global is bound.". But if the client binds the global while the compositor doesn't have DRM master privilege, and if it is not possible to securely produce a non-master drm_fd to send at this time, maybe the sentence should be changed to "The compositor will send this event some time after the zwp_drm_lease_manager_v1 global is bound."? regards Philipp ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
Regarding hotplugging, the Wayland compositor is probably keeping track of hotplugs itself and withdrawing/offering connectors as appropriate. Also, when the lease is issued, the compositor withdraws that connector. For the client, upon hotplug I imagine the DRM asks start to fail, and it handles that accordingly (presumably it'll close the lease, if the compositor hasn't already, and wait for it to come back, or just exit). When a hotplug of a leased connector happens on the compositor side, it can notice this and exercise its descretion in the implementation. I think the current text of the protocol supports this view. On Fri Oct 18, 2019 at 5:34 PM Pekka Paalanen wrote: > > So the rules are (if I'm not making a mistake) > > - If you're not CAP_SYS_ADMIN you can't get/drop_master. > > not able to drop, yikes. So if someone pokes the Wayland DRM leasing > interface while the display server is VT switched away (does not have > DRM master), and maybe no-one else has DRM master either (you're > hacking in VT text mode), then a new DRM fd would be master with no way > out? fwiw I have an assert(!drmIsMaster(fd)); before I send it to the client, just to be safe. But this may be misguided, since apparently if it ends up with a master node drmDropMaster(fd) won't work. I kind of find this hard to believe, if there's only ever one master, and the master cannot drop master, then why does this ioctl even exist? > So Wayland display servers should make sure they have master themselves > before sending a supposedly non-master DRM fd to anyone else. I wonder > if the Wayland protocol extension needs to consider that the compositor > might not be able to send any fd soon. Being able to defer sending the > fd should probably be mentioned in the protocol spec, so that clients > do not expect a simple roundtrip to be enough to ensure the fd has > arrived. When you VT switch away, the Wayland compositor is no longer necessarily able to lease those displays anyway - it's not the master anymore. So it should withdraw them, and in case of a race it'll reject the lease request. ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, 18 Oct 2019 16:19:33 +0200 Daniel Vetter wrote: > On Fri, Oct 18, 2019 at 3:43 PM Pekka Paalanen wrote: > > > > On Fri, 18 Oct 2019 07:54:50 -0400 > > "Drew DeVault" wrote: > > > > > On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > > > > One thing I did not know the last time was that apparently > > > > systemd-logind may not like to give out non-master DRM fds. That might > > > > need fixing in logind implementations. I hope someone would step up to > > > > look into that. > > > > > > > > This protocol aims to deliver a harmless "read-only" DRM device file > > > > description to a client, so that the client can enumerate all DRM > > > > resources, fetch EDID and other properties to be able to decide which > > > > connector it would want to lease. The client should not be able to > > > > change any KMS state through this fd, and it should not be able to e.g. > > > > spy on display contents. The assumption is that a non-master DRM fd > > > > from a fresh open() would be fine for this, but is it? > > > > > > What I do for wlroots is call drmGetDeviceNameFromFd2, which returns the > > > path to the device file, and then I open() it and use > > > drmIsMaster/drmDropMaster to make sure it's not a master fd. This seems > > > to work correctly in practice. > > > > That is nice. > > > > Personally I'm specifically worried about a setup where the user has no > > access permissions to open the DRM device node directly, as is (or > > should be) the case with input devices. > > > > However, since DRM has the master concept which input devices do not, > > maybe there is no reason to prevent a normal user from opening a DRM > > device directly. That is, if our assumption that a non-master DRM fd is > > harmless holds. > > > > (Wayland display servers usually run as a normal user, while logind > > or another service runs with elevated privileges and opens input and > > DRM devices on behalf of the display server.) > > So the rules are (if I'm not making a mistake) > - If you're not CAP_SYS_ADMIN you can't get/drop_master. Hi, not able to drop, yikes. So if someone pokes the Wayland DRM leasing interface while the display server is VT switched away (does not have DRM master), and maybe no-one else has DRM master either (you're hacking in VT text mode), then a new DRM fd would be master with no way out? So Wayland display servers should make sure they have master themselves before sending a supposedly non-master DRM fd to anyone else. I wonder if the Wayland protocol extension needs to consider that the compositor might not be able to send any fd soon. Being able to defer sending the fd should probably be mentioned in the protocol spec, so that clients do not expect a simple roundtrip to be enough to ensure the fd has arrived. > - This is a bit awkward, since non-root can become a master, when > there's no other master right at this point. So if you want to be able > to do this, we should probably clarify this part of the uapi somehow > (either de-priv drop_master or make sure non-root can't become master, > but the latter probably will break something somewhere). Plus igts to > lock down this behaviour. Note that if logind does a vt switch there's > a race window where no one is master and you might be able to squeeze > in. So perhaps we do want to stop this behaviour and require > CAP_SYS_ADMIN to become master, even accidentally. That would close the loophole that Ville mentioned, too, otherwise distributions should aim to not give permissions to open the DRM device node. > - I thought you can always re-open your own fd through proc? Which > should be good enough for this use-case here. We can? And that creates a new file description the same way as open() in the original device node? Does that avoid becoming master in the above VT-switched-away scenario? > - Non-master primary node should indeed give you all the GET* ioctls > for kms, and nothing else useful or at least dangerous (you might be > able to render with that thing). Just make sure you dont authenticate > that new fd. Again maybe we should clarify our docs a bit to make this > use case official. Awesome, thanks, pq pgpbCNseElfVP.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, Oct 18, 2019 at 3:43 PM Pekka Paalanen wrote: > > On Fri, 18 Oct 2019 07:54:50 -0400 > "Drew DeVault" wrote: > > > On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > > > One thing I did not know the last time was that apparently > > > systemd-logind may not like to give out non-master DRM fds. That might > > > need fixing in logind implementations. I hope someone would step up to > > > look into that. > > > > > > This protocol aims to deliver a harmless "read-only" DRM device file > > > description to a client, so that the client can enumerate all DRM > > > resources, fetch EDID and other properties to be able to decide which > > > connector it would want to lease. The client should not be able to > > > change any KMS state through this fd, and it should not be able to e.g. > > > spy on display contents. The assumption is that a non-master DRM fd > > > from a fresh open() would be fine for this, but is it? > > > > What I do for wlroots is call drmGetDeviceNameFromFd2, which returns the > > path to the device file, and then I open() it and use > > drmIsMaster/drmDropMaster to make sure it's not a master fd. This seems > > to work correctly in practice. > > That is nice. > > Personally I'm specifically worried about a setup where the user has no > access permissions to open the DRM device node directly, as is (or > should be) the case with input devices. > > However, since DRM has the master concept which input devices do not, > maybe there is no reason to prevent a normal user from opening a DRM > device directly. That is, if our assumption that a non-master DRM fd is > harmless holds. > > (Wayland display servers usually run as a normal user, while logind > or another service runs with elevated privileges and opens input and > DRM devices on behalf of the display server.) So the rules are (if I'm not making a mistake) - If you're not CAP_SYS_ADMIN you can't get/drop_master. - This is a bit awkward, since non-root can become a master, when there's no other master right at this point. So if you want to be able to do this, we should probably clarify this part of the uapi somehow (either de-priv drop_master or make sure non-root can't become master, but the latter probably will break something somewhere). Plus igts to lock down this behaviour. Note that if logind does a vt switch there's a race window where no one is master and you might be able to squeeze in. So perhaps we do want to stop this behaviour and require CAP_SYS_ADMIN to become master, even accidentally. - I thought you can always re-open your own fd through proc? Which should be good enough for this use-case here. - Non-master primary node should indeed give you all the GET* ioctls for kms, and nothing else useful or at least dangerous (you might be able to render with that thing). Just make sure you dont authenticate that new fd. Again maybe we should clarify our docs a bit to make this use case official. Cheers, Daniel -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, 18 Oct 2019 15:47:39 +0200 Philipp Zabel wrote: > On Fri, 2019-10-18 at 08:51 +, Simon Ser wrote: > > On Thursday, October 17, 2019 11:15 PM, Drew DeVault wrote: > > > > > On Thu Oct 17, 2019 at 6:08 PM Simon Ser wrote: > > > > > > > Should we keep the connector event, now that we have an unprivileged > > > > DRM FD? > > > > Alternatives include: > > > > > > > > - Let the client use the FD to get what it needs (EDID/a configured > > > > output/something else). > > > > > > > > > > Isn't this: > > > > > > > - Keep an event to advertise lease-able connector IDs > > > > > > What it's still there for? I'm not sure I understand, otherwise how is > > > the client supposed to know which DRM resources it can request a lease > > > for? How does it encode those intentions into a lease request? afaict > > > the connector is still necessary. > > > > The client can recognize EDIDs it's interested in, and then try to > > lease these connectors. The lease will fail if the connectors aren't > > leasable. This isn't a big deal for e.g. VR and we can always add the > > connector event later if needed. > > If there was no event for the appearance of leasable connectors, the > client would have to listen to hotplug uevents itself if it wants to be > capable of handling HMDs plugged in later. Is this something we want to > require? Supporting hotplug is a good question. I didn't think the connector events were for that, though. I think hotplug and hot-unplug should be discussed in the spec, how they are expected to work. DRM hotplug events are udev events which (for now) just say "hey, go re-scan stuff, something probably changed". I don't think clients should need to listen to udev events as well. Thanks, pq pgpF55VUk7wOD.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, Oct 18, 2019 at 04:43:29PM +0300, Pekka Paalanen wrote: > On Fri, 18 Oct 2019 07:54:50 -0400 > "Drew DeVault" wrote: > > > On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > > > One thing I did not know the last time was that apparently > > > systemd-logind may not like to give out non-master DRM fds. That might > > > need fixing in logind implementations. I hope someone would step up to > > > look into that. > > > > > > This protocol aims to deliver a harmless "read-only" DRM device file > > > description to a client, so that the client can enumerate all DRM > > > resources, fetch EDID and other properties to be able to decide which > > > connector it would want to lease. The client should not be able to > > > change any KMS state through this fd, and it should not be able to e.g. > > > spy on display contents. The assumption is that a non-master DRM fd > > > from a fresh open() would be fine for this, but is it? > > > > What I do for wlroots is call drmGetDeviceNameFromFd2, which returns the > > path to the device file, and then I open() it and use > > drmIsMaster/drmDropMaster to make sure it's not a master fd. This seems > > to work correctly in practice. > > That is nice. > > Personally I'm specifically worried about a setup where the user has no > access permissions to open the DRM device node directly, as is (or > should be) the case with input devices. > > However, since DRM has the master concept which input devices do not, > maybe there is no reason to prevent a normal user from opening a DRM > device directly. That is, if our assumption that a non-master DRM fd is > harmless holds. If there is no master then the first guy to open the device automagically becomes the master. Maybe a theoretical DoS vector if you can sneak in and open the device between dropmaster/setmaster? -- Ville Syrjälä Intel ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, 2019-10-18 at 08:51 +, Simon Ser wrote: > On Thursday, October 17, 2019 11:15 PM, Drew DeVault wrote: > > > On Thu Oct 17, 2019 at 6:08 PM Simon Ser wrote: > > > > > Should we keep the connector event, now that we have an unprivileged > > > DRM FD? > > > Alternatives include: > > > > > > - Let the client use the FD to get what it needs (EDID/a configured > > > output/something else). > > > > > > > Isn't this: > > > > > - Keep an event to advertise lease-able connector IDs > > > > What it's still there for? I'm not sure I understand, otherwise how is > > the client supposed to know which DRM resources it can request a lease > > for? How does it encode those intentions into a lease request? afaict > > the connector is still necessary. > > The client can recognize EDIDs it's interested in, and then try to > lease these connectors. The lease will fail if the connectors aren't > leasable. This isn't a big deal for e.g. VR and we can always add the > connector event later if needed. If there was no event for the appearance of leasable connectors, the client would have to listen to hotplug uevents itself if it wants to be capable of handling HMDs plugged in later. Is this something we want to require? regards Philipp ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri, 18 Oct 2019 07:54:50 -0400 "Drew DeVault" wrote: > On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > > One thing I did not know the last time was that apparently > > systemd-logind may not like to give out non-master DRM fds. That might > > need fixing in logind implementations. I hope someone would step up to > > look into that. > > > > This protocol aims to deliver a harmless "read-only" DRM device file > > description to a client, so that the client can enumerate all DRM > > resources, fetch EDID and other properties to be able to decide which > > connector it would want to lease. The client should not be able to > > change any KMS state through this fd, and it should not be able to e.g. > > spy on display contents. The assumption is that a non-master DRM fd > > from a fresh open() would be fine for this, but is it? > > What I do for wlroots is call drmGetDeviceNameFromFd2, which returns the > path to the device file, and then I open() it and use > drmIsMaster/drmDropMaster to make sure it's not a master fd. This seems > to work correctly in practice. That is nice. Personally I'm specifically worried about a setup where the user has no access permissions to open the DRM device node directly, as is (or should be) the case with input devices. However, since DRM has the master concept which input devices do not, maybe there is no reason to prevent a normal user from opening a DRM device directly. That is, if our assumption that a non-master DRM fd is harmless holds. (Wayland display servers usually run as a normal user, while logind or another service runs with elevated privileges and opens input and DRM devices on behalf of the display server.) Thanks, pq pgp4cfL93OTzF.pgp Description: OpenPGP digital signature ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Fri Oct 18, 2019 at 12:21 PM Pekka Paalanen wrote: > One thing I did not know the last time was that apparently > systemd-logind may not like to give out non-master DRM fds. That might > need fixing in logind implementations. I hope someone would step up to > look into that. > > This protocol aims to deliver a harmless "read-only" DRM device file > description to a client, so that the client can enumerate all DRM > resources, fetch EDID and other properties to be able to decide which > connector it would want to lease. The client should not be able to > change any KMS state through this fd, and it should not be able to e.g. > spy on display contents. The assumption is that a non-master DRM fd > from a fresh open() would be fine for this, but is it? What I do for wlroots is call drmGetDeviceNameFromFd2, which returns the path to the device file, and then I open() it and use drmIsMaster/drmDropMaster to make sure it's not a master fd. This seems to work correctly in practice. ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Thu, 17 Oct 2019 13:45:27 -0400 Drew DeVault wrote: > From: Marius Vlad > > DRM leasing is a feature which allows the DRM master to "lease" a subset > of its DRM resources to another DRM master via drmModeCreateLease, which > returns a file descriptor for the new DRM master. We use this protocol > to negotiate the terms of the lease and transfer this file descriptor to > clients. > > In less DRM-specific terms: this protocol allows Wayland compositors to > give over their GPU resources (like displays) to a Wayland client to > exclusively control. > > The primary use-case for this is Virtual Reality headsets, which via the > non-desktop DRM property are generally not used as desktop displays by > Wayland compositors, and for latency reasons (among others) are most > useful to games et al if they have direct control over the DRM resources > associated with it. Basically, these are peripherals which are of no use > to the compositor and may be of use to a client, but since they are tied > up in DRM we need to use DRM leasing to get them into client's hands. > > Signed-off-by: Marius Vlad > Signed-off-by: Drew DeVault > --- > v7's main change is that, upon binding to the drm_lease_manager, the > server now sends along a non-master DRM fd for the client to use to > enumerate resources. For this reason, the EDID event has been removed > from the connector interface, under the assumption that clients who want > to examine the EDID will line the connnector ID up with the appropriate > resources from DRM. Hi Drew, thanks for this, I really hope it works out since the protocol is so neat and tidy now. One thing I did not know the last time was that apparently systemd-logind may not like to give out non-master DRM fds. That might need fixing in logind implementations. I hope someone would step up to look into that. I'm CC'ing dri-devel and Daniel Vetter to get some kernel side review for the non-master DRM fd idea: This protocol aims to deliver a harmless "read-only" DRM device file description to a client, so that the client can enumerate all DRM resources, fetch EDID and other properties to be able to decide which connector it would want to lease. The client should not be able to change any KMS state through this fd, and it should not be able to e.g. spy on display contents. The assumption is that a non-master DRM fd from a fresh open() would be fine for this, but is it? If it is not, could we make one that is? Simply giving out an fd for the client to inspect with standard DRM ioctls is just so convenient. ** I wouldn't mind if the below links were part of the proper commit message. > Updated patches are available for: > > wlroots: https://github.com/swaywm/wlroots/pull/1730 > sway: https://github.com/swaywm/sway/pull/4289 > kmscube: https://git.sr.ht/~sircmpwn/kmscube > Xwayland: https://gitlab.freedesktop.org/xorg/xserver/merge_requests/248 > > Additionally, the Vulkan extension has been polished up: > > https://github.com/KhronosGroup/Vulkan-Docs/pull/1001 > > A new implementation for Mesa's Vulkan WSI implementation will be > available soon, as well as an implementation of the Wayland extension > for Monado. > > Makefile.am | 1 + > unstable/drm-lease/README| 5 + > unstable/drm-lease/drm-lease-unstable-v1.xml | 246 +++ > 3 files changed, 252 insertions(+) > create mode 100644 unstable/drm-lease/README > create mode 100644 unstable/drm-lease/drm-lease-unstable-v1.xml > > diff --git a/Makefile.am b/Makefile.am > index 345ae6a..d9fff89 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -4,6 +4,7 @@ unstable_protocols = > \ > unstable/pointer-gestures/pointer-gestures-unstable-v1.xml > \ > unstable/fullscreen-shell/fullscreen-shell-unstable-v1.xml > \ > unstable/linux-dmabuf/linux-dmabuf-unstable-v1.xml > \ > + unstable/drm-lease/drm-lease-unstable-v1.xml > \ > unstable/text-input/text-input-unstable-v1.xml > \ > unstable/text-input/text-input-unstable-v3.xml > \ > unstable/input-method/input-method-unstable-v1.xml > \ > diff --git a/unstable/drm-lease/README b/unstable/drm-lease/README > new file mode 100644 > index 000..16f8551 > --- /dev/null > +++ b/unstable/drm-lease/README > @@ -0,0 +1,5 @@ > +Linux DRM lease > + > +Maintainers: > +Drew DeVault > +Marius Vlad Marius' email address probably needs refreshing? > diff --git a/unstable/drm-lease/drm-lease-unstable-v1.xml > b/unstable/drm-lease/drm-lease-unstable-v1.xml > new file mode 100644 > index 000..5fbc0e3 > --- /dev/null > +++ b/unstable/drm-lease/drm-lease-unstable-v1.xml > @@ -0,0 +1,246 @@ > + > + > + > +Copyright © 2018 NXP > +Copyright © 2019 Status Research Development
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Thursday, October 17, 2019 11:15 PM, Drew DeVault wrote: > On Thu Oct 17, 2019 at 6:08 PM Simon Ser wrote: > > > Should we keep the connector event, now that we have an unprivileged > > DRM FD? > > Alternatives include: > > > > - Let the client use the FD to get what it needs (EDID/a configured > > output/something else). > > > > Isn't this: > > > - Keep an event to advertise lease-able connector IDs > > What it's still there for? I'm not sure I understand, otherwise how is > the client supposed to know which DRM resources it can request a lease > for? How does it encode those intentions into a lease request? afaict > the connector is still necessary. The client can recognize EDIDs it's interested in, and then try to lease these connectors. The lease will fail if the connectors aren't leasable. This isn't a big deal for e.g. VR and we can always add the connector event later if needed. Regarding the second point: the current event creates an object, which makes the protocol complicated with e.g. the stop request. We could just have a connector event which sends a uint connector_id without creating a new object. ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
On Thu Oct 17, 2019 at 6:08 PM Simon Ser wrote: > Should we keep the connector event, now that we have an unprivileged > DRM FD? > > Alternatives include: > > - Let the client use the FD to get what it needs (EDID/a configured > output/something else). Isn't this: > - Keep an event to advertise lease-able connector IDs What it's still there for? I'm not sure I understand, otherwise how is the client supposed to know which DRM resources it can request a lease for? How does it encode those intentions into a lease request? afaict the connector is still necessary. ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH v7] unstable/drm-lease: DRM lease protocol support
Should we keep the connector event, now that we have an unprivileged DRM FD? Alternatives include: - Let the client use the FD to get what it needs (EDID/a configured output/something else). - Keep an event to advertise lease-able connector IDs ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
[PATCH v7] unstable/drm-lease: DRM lease protocol support
From: Marius Vlad DRM leasing is a feature which allows the DRM master to "lease" a subset of its DRM resources to another DRM master via drmModeCreateLease, which returns a file descriptor for the new DRM master. We use this protocol to negotiate the terms of the lease and transfer this file descriptor to clients. In less DRM-specific terms: this protocol allows Wayland compositors to give over their GPU resources (like displays) to a Wayland client to exclusively control. The primary use-case for this is Virtual Reality headsets, which via the non-desktop DRM property are generally not used as desktop displays by Wayland compositors, and for latency reasons (among others) are most useful to games et al if they have direct control over the DRM resources associated with it. Basically, these are peripherals which are of no use to the compositor and may be of use to a client, but since they are tied up in DRM we need to use DRM leasing to get them into client's hands. Signed-off-by: Marius Vlad Signed-off-by: Drew DeVault --- v7's main change is that, upon binding to the drm_lease_manager, the server now sends along a non-master DRM fd for the client to use to enumerate resources. For this reason, the EDID event has been removed from the connector interface, under the assumption that clients who want to examine the EDID will line the connnector ID up with the appropriate resources from DRM. Updated patches are available for: wlroots: https://github.com/swaywm/wlroots/pull/1730 sway: https://github.com/swaywm/sway/pull/4289 kmscube: https://git.sr.ht/~sircmpwn/kmscube Xwayland: https://gitlab.freedesktop.org/xorg/xserver/merge_requests/248 Additionally, the Vulkan extension has been polished up: https://github.com/KhronosGroup/Vulkan-Docs/pull/1001 A new implementation for Mesa's Vulkan WSI implementation will be available soon, as well as an implementation of the Wayland extension for Monado. Makefile.am | 1 + unstable/drm-lease/README| 5 + unstable/drm-lease/drm-lease-unstable-v1.xml | 246 +++ 3 files changed, 252 insertions(+) create mode 100644 unstable/drm-lease/README create mode 100644 unstable/drm-lease/drm-lease-unstable-v1.xml diff --git a/Makefile.am b/Makefile.am index 345ae6a..d9fff89 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,6 +4,7 @@ unstable_protocols = \ unstable/pointer-gestures/pointer-gestures-unstable-v1.xml \ unstable/fullscreen-shell/fullscreen-shell-unstable-v1.xml \ unstable/linux-dmabuf/linux-dmabuf-unstable-v1.xml \ + unstable/drm-lease/drm-lease-unstable-v1.xml \ unstable/text-input/text-input-unstable-v1.xml \ unstable/text-input/text-input-unstable-v3.xml \ unstable/input-method/input-method-unstable-v1.xml \ diff --git a/unstable/drm-lease/README b/unstable/drm-lease/README new file mode 100644 index 000..16f8551 --- /dev/null +++ b/unstable/drm-lease/README @@ -0,0 +1,5 @@ +Linux DRM lease + +Maintainers: +Drew DeVault +Marius Vlad diff --git a/unstable/drm-lease/drm-lease-unstable-v1.xml b/unstable/drm-lease/drm-lease-unstable-v1.xml new file mode 100644 index 000..5fbc0e3 --- /dev/null +++ b/unstable/drm-lease/drm-lease-unstable-v1.xml @@ -0,0 +1,246 @@ + + + +Copyright © 2018 NXP +Copyright © 2019 Status Research Development GmbH. + +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the "Software"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice (including the next +paragraph) shall be included in all copies or substantial portions of the +Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. + + + + + This protocol is used by Wayland compositors which act as Direct + Renderering Manager (DRM) masters to lease DRM resources to Wayland + clients. Once leased, the compositor will not use the leased resources +