Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Wed, 2020-02-19 at 13:27 +, Emil Velikov wrote:
> + * As some point systemd-logind was introduced to orchestrate and delegate
> + * master as applicable. It does so by opening the fd and passing it to users
> + * while in itself logind a) does the set/drop master per users' request and
> + * b) * implicitly drops master on VT switch.
> + *
> + * Even though logind looks like the future, there are a few issues:
> + * - using it is not possible on some platforms
> + * - applications may not be updated to use it,
> + * - any client which fails to drop master* can DoS the application using
> + * logind, to a varying degree.
I'm not super worried. Everything about VTs is a pile of DoS scenarios
that userspace has to dance to avoid. It sounds like this is only
introducing new DoS scenarios for cases that previously simply did not
work.
> + * As a result this fixes, the following when using root-less build w/o
> logind
Nitpick: no comma here.
> int drm_setmaster_ioctl(struct drm_device *dev, void *data,
> struct drm_file *file_priv)
> {
> int ret = 0;
>
> mutex_lock(&dev->master_mutex);
> +
> + ret = drm_master_check_perm(dev, file_priv);
> + if (ret)
> + goto out_unlock;
> +
> if (drm_is_current_master(file_priv))
> goto out_unlock;
I'd mentioned this on IRC, and it doesn't need to be changed with this
patch, but it would be cool if the "does the device already have a
master" check just below here would return -EBUSY instead of -EINVAL so
userspace diagnostics have a chance of saying something useful. A quick
audit of the X drivers and weston shows no cases where we care about
the generated errno value beyond feeding it into strerror() so that
should also be safe.
Looks good otherwise, and these are definitely more reasonable
semantics. Thanks for taking this on!
Reviewed-by: Adam Jackson
- ajax
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Tue, Mar 17, 2020 at 1:26 PM Emil Velikov wrote:
>
> On Mon, 2 Mar 2020 at 18:29, Emil Velikov wrote:
> >
> > On Wed, 19 Feb 2020 at 13:27, Emil Velikov wrote:
> > >
> > > From: Emil Velikov
> > >
> > > This commit reworks the permission handling of the two ioctls. In
> > > particular it enforced the CAP_SYS_ADMIN check only, if:
> > > - we're issuing the ioctl from process other than the one which opened
> > > the node, and
> > > - we are, or were master in the past
> > >
> > > This ensures that we:
> > > - do not regress the systemd-logind style of DRM_MASTER arbitrator
> > > - allow applications which do not use systemd-logind to drop their
> > > master capabilities (and regain them at later point) ... w/o running as
> > > root.
> > >
> > > See the comment above drm_master_check_perm() for more details.
> > >
> > > v1:
> > > - Tweak wording, fixup all checks, add igt test
> > >
> > > Cc: Adam Jackson
> > > Cc: Daniel Vetter
> > > Cc: Pekka Paalanen
> > > Testcase: igt/core_setmaster/master-drop-set-user
> > > Signed-off-by: Emil Velikov
> > > ---
> > > drivers/gpu/drm/drm_auth.c | 62 +
> > > drivers/gpu/drm/drm_ioctl.c | 4 +--
> > > include/drm/drm_file.h | 11 +++
> > > 3 files changed, 75 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
> > > index cc9acd986c68..b26986bca271 100644
> > > --- a/drivers/gpu/drm/drm_auth.c
> > > +++ b/drivers/gpu/drm/drm_auth.c
> > > @@ -135,6 +135,7 @@ static int drm_set_master(struct drm_device *dev,
> > > struct drm_file *fpriv,
> > > }
> > > }
> > >
> > > + fpriv->was_master = (ret == 0);
> > > return ret;
> > > }
> > >
> > > @@ -179,12 +180,67 @@ static int drm_new_set_master(struct drm_device
> > > *dev, struct drm_file *fpriv)
> > > return ret;
> > > }
> > >
> > > +/*
> > > + * In the olden days the SET/DROP_MASTER ioctls used to return EACCES
> > > when
> > > + * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
> > > + * from becoming master and/or failing to release it.
> > > + *
> > > + * At the same time, the first client (for a given VT) is _always_
> > > master.
> > > + * Thus in order for the ioctls to succeed, one had to _explicitly_ run
> > > the
> > > + * application as root or flip the setuid bit.
> > > + *
> > > + * If the CAP_SYS_ADMIN was missing, no other client could become
> > > master...
> > > + * EVER :-( Leading to a) the graphics session dying badly or b) a
> > > completely
> > > + * locked session.
> > > + *
> > > + *
> > > + * As some point systemd-logind was introduced to orchestrate and
> > > delegate
> > > + * master as applicable. It does so by opening the fd and passing it to
> > > users
> > > + * while in itself logind a) does the set/drop master per users' request
> > > and
> > > + * b) * implicitly drops master on VT switch.
> > > + *
> > > + * Even though logind looks like the future, there are a few issues:
> > > + * - using it is not possible on some platforms
> > > + * - applications may not be updated to use it,
> > > + * - any client which fails to drop master* can DoS the application
> > > using
> > > + * logind, to a varying degree.
> > > + *
> > > + * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
> > > + *
> > > + *
> > > + * Here we implement the next best thing:
> > > + * - ensure the logind style of fd passing works unchanged, and
> > > + * - allow a client to drop/set master, iff it is/was master at a given
> > > point
> > > + * in time.
> > > + *
> > > + * As a result this fixes, the following when using root-less build w/o
> > > logind
> > > + * - startx - some drivers work fine regardless
> > > + * - weston
> > > + * - various compositors based on wlroots
> > > + */
> > > +static int
> > > +drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
> > > +{
> > > + if (file_priv->pid == task_pid(current) && file_priv->was_master)
> > > + return 0;
> > > +
> > > + if (!capable(CAP_SYS_ADMIN))
> > > + return -EACCES;
> > > +
> > > + return 0;
> > > +}
> > > +
> > > int drm_setmaster_ioctl(struct drm_device *dev, void *data,
> > > struct drm_file *file_priv)
> > > {
> > > int ret = 0;
> > >
> > > mutex_lock(&dev->master_mutex);
> > > +
> > > + ret = drm_master_check_perm(dev, file_priv);
> > > + if (ret)
> > > + goto out_unlock;
> > > +
> > > if (drm_is_current_master(file_priv))
> > > goto out_unlock;
> > >
> > > @@ -229,6 +285,12 @@ int drm_dropmaster_ioctl(struct drm_device *dev,
> > > void *data,
> > > int ret = -EINVAL;
> > >
> > > mutex_lock(&dev->master_mutex);
> > > +
> > > + ret = drm_master_check_perm(dev, file_priv);
> > > + if (ret)
> > > + goto out_unlock;
> > > +
> > > + r
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Mon, 2 Mar 2020 at 18:29, Emil Velikov wrote:
>
> On Wed, 19 Feb 2020 at 13:27, Emil Velikov wrote:
> >
> > From: Emil Velikov
> >
> > This commit reworks the permission handling of the two ioctls. In
> > particular it enforced the CAP_SYS_ADMIN check only, if:
> > - we're issuing the ioctl from process other than the one which opened
> > the node, and
> > - we are, or were master in the past
> >
> > This ensures that we:
> > - do not regress the systemd-logind style of DRM_MASTER arbitrator
> > - allow applications which do not use systemd-logind to drop their
> > master capabilities (and regain them at later point) ... w/o running as
> > root.
> >
> > See the comment above drm_master_check_perm() for more details.
> >
> > v1:
> > - Tweak wording, fixup all checks, add igt test
> >
> > Cc: Adam Jackson
> > Cc: Daniel Vetter
> > Cc: Pekka Paalanen
> > Testcase: igt/core_setmaster/master-drop-set-user
> > Signed-off-by: Emil Velikov
> > ---
> > drivers/gpu/drm/drm_auth.c | 62 +
> > drivers/gpu/drm/drm_ioctl.c | 4 +--
> > include/drm/drm_file.h | 11 +++
> > 3 files changed, 75 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
> > index cc9acd986c68..b26986bca271 100644
> > --- a/drivers/gpu/drm/drm_auth.c
> > +++ b/drivers/gpu/drm/drm_auth.c
> > @@ -135,6 +135,7 @@ static int drm_set_master(struct drm_device *dev,
> > struct drm_file *fpriv,
> > }
> > }
> >
> > + fpriv->was_master = (ret == 0);
> > return ret;
> > }
> >
> > @@ -179,12 +180,67 @@ static int drm_new_set_master(struct drm_device *dev,
> > struct drm_file *fpriv)
> > return ret;
> > }
> >
> > +/*
> > + * In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
> > + * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
> > + * from becoming master and/or failing to release it.
> > + *
> > + * At the same time, the first client (for a given VT) is _always_ master.
> > + * Thus in order for the ioctls to succeed, one had to _explicitly_ run the
> > + * application as root or flip the setuid bit.
> > + *
> > + * If the CAP_SYS_ADMIN was missing, no other client could become master...
> > + * EVER :-( Leading to a) the graphics session dying badly or b) a
> > completely
> > + * locked session.
> > + *
> > + *
> > + * As some point systemd-logind was introduced to orchestrate and delegate
> > + * master as applicable. It does so by opening the fd and passing it to
> > users
> > + * while in itself logind a) does the set/drop master per users' request
> > and
> > + * b) * implicitly drops master on VT switch.
> > + *
> > + * Even though logind looks like the future, there are a few issues:
> > + * - using it is not possible on some platforms
> > + * - applications may not be updated to use it,
> > + * - any client which fails to drop master* can DoS the application using
> > + * logind, to a varying degree.
> > + *
> > + * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
> > + *
> > + *
> > + * Here we implement the next best thing:
> > + * - ensure the logind style of fd passing works unchanged, and
> > + * - allow a client to drop/set master, iff it is/was master at a given
> > point
> > + * in time.
> > + *
> > + * As a result this fixes, the following when using root-less build w/o
> > logind
> > + * - startx - some drivers work fine regardless
> > + * - weston
> > + * - various compositors based on wlroots
> > + */
> > +static int
> > +drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
> > +{
> > + if (file_priv->pid == task_pid(current) && file_priv->was_master)
> > + return 0;
> > +
> > + if (!capable(CAP_SYS_ADMIN))
> > + return -EACCES;
> > +
> > + return 0;
> > +}
> > +
> > int drm_setmaster_ioctl(struct drm_device *dev, void *data,
> > struct drm_file *file_priv)
> > {
> > int ret = 0;
> >
> > mutex_lock(&dev->master_mutex);
> > +
> > + ret = drm_master_check_perm(dev, file_priv);
> > + if (ret)
> > + goto out_unlock;
> > +
> > if (drm_is_current_master(file_priv))
> > goto out_unlock;
> >
> > @@ -229,6 +285,12 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void
> > *data,
> > int ret = -EINVAL;
> >
> > mutex_lock(&dev->master_mutex);
> > +
> > + ret = drm_master_check_perm(dev, file_priv);
> > + if (ret)
> > + goto out_unlock;
> > +
> > + ret = -EINVAL;
> > if (!drm_is_current_master(file_priv))
> > goto out_unlock;
> >
> > diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
> > index 9e41972c4bbc..73e31dd4e442 100644
> > --- a/drivers/gpu/drm/drm_ioctl.c
> > +++ b/drivers/gpu/drm/drm_ioctl.c
> > @@ -599,8 +599,8 @@ static const struct drm_ioctl_desc d
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Mon, 9 Mar 2020 at 18:36, Emil Velikov wrote: > > On Mon, 9 Mar 2020 at 13:13, Emil Velikov wrote: > > > > OTOH, if applications exist that rely on drop-master failing in this > > > specific case, making drop-master succeed would break them. That might > > > include a buggy set-master path that was written, but does not actually > > > work because it was never tested since drop-master never worked. > > > > > > So I do not fully buy this argument yet, but I also cannot name any > > > explicit examples that would break. > > > > > > > > I've ventured for a while in the X (Xorg + drivers), Weston, > > sway/wlroots and Mesa's codebase. > > There were zero instances of such misuse. If other projects come to > > mind - I'll gladly take a look. > > > Just checked a few other projects with git pickaxe* - zero cases of > mentioned (mis)use. In particular: > - qtbase + qtwayland + gtk > Never used the wrappers or ioctls > > - kwin + plasmashell > Never used the wrappers or ioctls > > - mutter + gnome-shell > Briefly used the wrappers. Sane codepath > > - igt-gpu-tools ... just because I had it open > Sane use both wrappers and ioctls. > > Any other projects I should check? > Coming back from an interesting venture in efl world: - enlightment - correctly usage during 2012-2014, switched to ecore_drm - evas (imlib2 successor) correct usage, few months in 2014, switched to ecore_drm - legacy/ecore - never used either - ecore - ecore_drm backend, correct usage of drmSet/DropMaster Given the above, it does seem that the raised concern is more or less hypothetical. -Emil ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Mon, 9 Mar 2020 at 13:13, Emil Velikov wrote: > > OTOH, if applications exist that rely on drop-master failing in this > > specific case, making drop-master succeed would break them. That might > > include a buggy set-master path that was written, but does not actually > > work because it was never tested since drop-master never worked. > > > > So I do not fully buy this argument yet, but I also cannot name any > > explicit examples that would break. > > > > > I've ventured for a while in the X (Xorg + drivers), Weston, > sway/wlroots and Mesa's codebase. > There were zero instances of such misuse. If other projects come to > mind - I'll gladly take a look. > Just checked a few other projects with git pickaxe* - zero cases of mentioned (mis)use. In particular: - qtbase + qtwayland + gtk Never used the wrappers or ioctls - kwin + plasmashell Never used the wrappers or ioctls - mutter + gnome-shell Briefly used the wrappers. Sane codepath - igt-gpu-tools ... just because I had it open Sane use both wrappers and ioctls. Any other projects I should check? -Emil * Both via libdrm and directly calling the ioctl git log -p -S DROP_MASTER git log -p -S drmDropMaster ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Mon, 9 Mar 2020 at 08:38, Pekka Paalanen wrote: > > On Fri, 6 Mar 2020 18:51:22 + > Emil Velikov wrote: > > > On Fri, 6 Mar 2020 at 14:00, Pekka Paalanen wrote: > > > > > > On Wed, 19 Feb 2020 13:27:28 + > > > Emil Velikov wrote: > > > > > > > From: Emil Velikov > > > > > > > > > > ... > > > > > > > +/* > > > > + * In the olden days the SET/DROP_MASTER ioctls used to return EACCES > > > > when > > > > + * CAP_SYS_ADMIN was not set. This was used to prevent rogue > > > > applications > > > > + * from becoming master and/or failing to release it. > > > > + * > > > > + * At the same time, the first client (for a given VT) is _always_ > > > > master. > > > > + * Thus in order for the ioctls to succeed, one had to _explicitly_ > > > > run the > > > > + * application as root or flip the setuid bit. > > > > + * > > > > + * If the CAP_SYS_ADMIN was missing, no other client could become > > > > master... > > > > + * EVER :-( Leading to a) the graphics session dying badly or b) a > > > > completely > > > > + * locked session. > > > > + * > > > > > > Hi, > > > > > > sorry I had to trim this email harshly, but Google did not want to > > > deliver it otherwise. > > > > > > I agree that being able to drop master without CAP_SYS_ADMIN sounds > > > like a good thing. > > > > > > > + * > > > > + * As some point systemd-logind was introduced to orchestrate and > > > > delegate > > > > + * master as applicable. It does so by opening the fd and passing it > > > > to users > > > > + * while in itself logind a) does the set/drop master per users' > > > > request and > > > > + * b) * implicitly drops master on VT switch. > > > > + * > > > > + * Even though logind looks like the future, there are a few issues: > > > > + * - using it is not possible on some platforms > > > > + * - applications may not be updated to use it, > > > > + * - any client which fails to drop master* can DoS the application > > > > using > > > > + * logind, to a varying degree. > > > > + * > > > > + * * Either due missing CAP_SYS_ADMIN or simply not calling > > > > DROP_MASTER. > > > > + * > > > > + * > > > > + * Here we implement the next best thing: > > > > + * - ensure the logind style of fd passing works unchanged, and > > > > + * - allow a client to drop/set master, iff it is/was master at a > > > > given point > > > > + * in time. > > > > > > I understand the drop master part, because it is needed to get rid of > > > apps that accidentally gain DRM master because they were the first one > > > to open the DRM device (on a particular VT?). It could happen e.g. if a > > > Wayland client is inspecting DRM devices to figure what it wants to > > > lease while the user has VT-switched to a text-mode VT, I guess. E.g. > > > starting a Wayland VR compositor from a VT for whatever reason. > > > > > > The set master without CAP_SYS_ADMIN part I don't understand. > > > > > As you point out application can drop master for various reasons. One > > of which may be to say spawn another program which requires master for > > _non_ modeset reasons. For example: > > - amdgpu: create a renderer and use the context/process priority override > > IOCTL > > - vmwgfx: stream claim/unref (amongst others). > > Hi, > > if none of that is about KMS resources specifically, then to me it > seems like a mis-design that should be avoided if still possible. DRM > master is all about modeset, and in my option should be about nothing > else. > > Are those needed to keep existing userspace working? > In a perfect world sure. In practical terms - fixing these is less likely. We have limited time and thou shalt not regress userspace. About specifics on the individual drivers, I'll refer you to the respective teams. > > > Another case to consider is classic X or Wayland compositor. With > > CAP_SYS_ADMIN for DROP_MASTER removed, yet retained in SET_MASTER, the > > IOCTL will fail. Thus: > > - weston results in frozen session and session switching (have to > > force kill weston or sudo loginctl kill-session) > > - depending on the driver, X will work or crash > > > > To make this clearer I'll include //comment sections in the code. > > > > // comment > > To ensure the application can reclaim its master status, the tweaked > > CAP_SYS_ADMIN handling is needed for both IOCTLs. Otherwise X or > > Wayland compositors may freeze or crash as SET_MASTER fails. > > // comment > > A Wayland compositor or Xorg that got DRM master by first-opener up to > now has not been able to drop DRM master, which means VT switching away > does not work - does it? Correct - it does not. Yet the return code of the drmDropMaster is ignored so the compositor continues working... Somewhat. Weston got some checks recently IIRC. > If drop-master succeeded, then VT-switch back > doesn't work, which in my opinion is VT-switching failing again just in > a different way. > If the drmSetMaster fails (while Drop was successful), you'll get user-facing issues. The crash or freeze as ment
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Fri, 6 Mar 2020 18:51:22 + Emil Velikov wrote: > On Fri, 6 Mar 2020 at 14:00, Pekka Paalanen wrote: > > > > On Wed, 19 Feb 2020 13:27:28 + > > Emil Velikov wrote: > > > > > From: Emil Velikov > > > > > > > ... > > > > > +/* > > > + * In the olden days the SET/DROP_MASTER ioctls used to return EACCES > > > when > > > + * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications > > > + * from becoming master and/or failing to release it. > > > + * > > > + * At the same time, the first client (for a given VT) is _always_ > > > master. > > > + * Thus in order for the ioctls to succeed, one had to _explicitly_ run > > > the > > > + * application as root or flip the setuid bit. > > > + * > > > + * If the CAP_SYS_ADMIN was missing, no other client could become > > > master... > > > + * EVER :-( Leading to a) the graphics session dying badly or b) a > > > completely > > > + * locked session. > > > + * > > > > Hi, > > > > sorry I had to trim this email harshly, but Google did not want to > > deliver it otherwise. > > > > I agree that being able to drop master without CAP_SYS_ADMIN sounds > > like a good thing. > > > > > + * > > > + * As some point systemd-logind was introduced to orchestrate and > > > delegate > > > + * master as applicable. It does so by opening the fd and passing it to > > > users > > > + * while in itself logind a) does the set/drop master per users' request > > > and > > > + * b) * implicitly drops master on VT switch. > > > + * > > > + * Even though logind looks like the future, there are a few issues: > > > + * - using it is not possible on some platforms > > > + * - applications may not be updated to use it, > > > + * - any client which fails to drop master* can DoS the application > > > using > > > + * logind, to a varying degree. > > > + * > > > + * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER. > > > + * > > > + * > > > + * Here we implement the next best thing: > > > + * - ensure the logind style of fd passing works unchanged, and > > > + * - allow a client to drop/set master, iff it is/was master at a given > > > point > > > + * in time. > > > > I understand the drop master part, because it is needed to get rid of > > apps that accidentally gain DRM master because they were the first one > > to open the DRM device (on a particular VT?). It could happen e.g. if a > > Wayland client is inspecting DRM devices to figure what it wants to > > lease while the user has VT-switched to a text-mode VT, I guess. E.g. > > starting a Wayland VR compositor from a VT for whatever reason. > > > > The set master without CAP_SYS_ADMIN part I don't understand. > > > As you point out application can drop master for various reasons. One > of which may be to say spawn another program which requires master for > _non_ modeset reasons. For example: > - amdgpu: create a renderer and use the context/process priority override > IOCTL > - vmwgfx: stream claim/unref (amongst others). Hi, if none of that is about KMS resources specifically, then to me it seems like a mis-design that should be avoided if still possible. DRM master is all about modeset, and in my option should be about nothing else. Are those needed to keep existing userspace working? > Another case to consider is classic X or Wayland compositor. With > CAP_SYS_ADMIN for DROP_MASTER removed, yet retained in SET_MASTER, the > IOCTL will fail. Thus: > - weston results in frozen session and session switching (have to > force kill weston or sudo loginctl kill-session) > - depending on the driver, X will work or crash > > To make this clearer I'll include //comment sections in the code. > > // comment > To ensure the application can reclaim its master status, the tweaked > CAP_SYS_ADMIN handling is needed for both IOCTLs. Otherwise X or > Wayland compositors may freeze or crash as SET_MASTER fails. > // comment A Wayland compositor or Xorg that got DRM master by first-opener up to now has not been able to drop DRM master, which means VT switching away does not work - does it? If drop-master succeeded, then VT-switch back doesn't work, which in my opinion is VT-switching failing again just in a different way. OTOH, if applications exist that rely on drop-master failing in this specific case, making drop-master succeed would break them. That might include a buggy set-master path that was written, but does not actually work because it was never tested since drop-master never worked. So I do not fully buy this argument yet, but I also cannot name any explicit examples that would break. > > > + * > > > + * As a result this fixes, the following when using root-less build w/o > > > logind > > > > Why is non-root without any logind-equivalent a use case that should > > work? > > > // comment > Some platforms don't have equivalent (Android, CrOS, some BSDs), yet > root is required _solely_ for DROP/SET MASTER. So tweaking the > requirement sounds perfectly reason
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Fri, 6 Mar 2020 at 14:00, Pekka Paalanen wrote:
>
> On Wed, 19 Feb 2020 13:27:28 +
> Emil Velikov wrote:
>
> > From: Emil Velikov
> >
>
> ...
>
> > +/*
> > + * In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
> > + * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
> > + * from becoming master and/or failing to release it.
> > + *
> > + * At the same time, the first client (for a given VT) is _always_ master.
> > + * Thus in order for the ioctls to succeed, one had to _explicitly_ run the
> > + * application as root or flip the setuid bit.
> > + *
> > + * If the CAP_SYS_ADMIN was missing, no other client could become master...
> > + * EVER :-( Leading to a) the graphics session dying badly or b) a
> > completely
> > + * locked session.
> > + *
>
> Hi,
>
> sorry I had to trim this email harshly, but Google did not want to
> deliver it otherwise.
>
> I agree that being able to drop master without CAP_SYS_ADMIN sounds
> like a good thing.
>
> > + *
> > + * As some point systemd-logind was introduced to orchestrate and delegate
> > + * master as applicable. It does so by opening the fd and passing it to
> > users
> > + * while in itself logind a) does the set/drop master per users' request
> > and
> > + * b) * implicitly drops master on VT switch.
> > + *
> > + * Even though logind looks like the future, there are a few issues:
> > + * - using it is not possible on some platforms
> > + * - applications may not be updated to use it,
> > + * - any client which fails to drop master* can DoS the application using
> > + * logind, to a varying degree.
> > + *
> > + * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
> > + *
> > + *
> > + * Here we implement the next best thing:
> > + * - ensure the logind style of fd passing works unchanged, and
> > + * - allow a client to drop/set master, iff it is/was master at a given
> > point
> > + * in time.
>
> I understand the drop master part, because it is needed to get rid of
> apps that accidentally gain DRM master because they were the first one
> to open the DRM device (on a particular VT?). It could happen e.g. if a
> Wayland client is inspecting DRM devices to figure what it wants to
> lease while the user has VT-switched to a text-mode VT, I guess. E.g.
> starting a Wayland VR compositor from a VT for whatever reason.
>
> The set master without CAP_SYS_ADMIN part I don't understand.
>
As you point out application can drop master for various reasons. One
of which may be to say spawn another program which requires master for
_non_ modeset reasons. For example:
- amdgpu: create a renderer and use the context/process priority override IOCTL
- vmwgfx: stream claim/unref (amongst others).
Another case to consider is classic X or Wayland compositor. With
CAP_SYS_ADMIN for DROP_MASTER removed, yet retained in SET_MASTER, the
IOCTL will fail. Thus:
- weston results in frozen session and session switching (have to
force kill weston or sudo loginctl kill-session)
- depending on the driver, X will work or crash
To make this clearer I'll include //comment sections in the code.
// comment
To ensure the application can reclaim its master status, the tweaked
CAP_SYS_ADMIN handling is needed for both IOCTLs. Otherwise X or
Wayland compositors may freeze or crash as SET_MASTER fails.
// comment
> > + *
> > + * As a result this fixes, the following when using root-less build w/o
> > logind
>
> Why is non-root without any logind-equivalent a use case that should
> work?
>
// comment
Some platforms don't have equivalent (Android, CrOS, some BSDs), yet
root is required _solely_ for DROP/SET MASTER. So tweaking the
requirement sounds perfectly reasonable.
// comment
> Why did DRM set/drop master use to require CAP_SYS_ADMIN in the first
> place?
>
I imagine something else could have been introduced instead. Although
I cannot find any details or discussion on the topic.
> What else happens if we allow DRM set master more than just for
> CAP_SYS_ADMIN?
>
If we're talking about removing CAP_SYS_ADMIN all together:
- screen scraping by any random application
- dead trivial way to DoS your compositor
> Does this interact with DRM leasing?
>
> Looks like drmIsMaster() should be unaffected at least:
> https://patchwork.kernel.org/patch/10776525/
>
Correct, both are unaffected. All the leasing IOCTLs happen by the
active true (aka non-lease) master.
> > + * - startx - some drivers work fine regardless
> > + * - weston
> > + * - various compositors based on wlroots
> > + */
> > +static int
> > +drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
> > +{
> > + if (file_priv->pid == task_pid(current) && file_priv->was_master)
> > + return 0;
>
> In case a helper e.g. logind opens the device, is file_priv->pid then
> referring to logind regardless of what happens afterwards?
>
Correct.
> > +
> > + if (!capable(CAP_SYS_ADMIN))
> > + return -EACCES
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Wed, 19 Feb 2020 13:27:28 +
Emil Velikov wrote:
> From: Emil Velikov
>
...
> +/*
> + * In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
> + * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
> + * from becoming master and/or failing to release it.
> + *
> + * At the same time, the first client (for a given VT) is _always_ master.
> + * Thus in order for the ioctls to succeed, one had to _explicitly_ run the
> + * application as root or flip the setuid bit.
> + *
> + * If the CAP_SYS_ADMIN was missing, no other client could become master...
> + * EVER :-( Leading to a) the graphics session dying badly or b) a completely
> + * locked session.
> + *
Hi,
sorry I had to trim this email harshly, but Google did not want to
deliver it otherwise.
I agree that being able to drop master without CAP_SYS_ADMIN sounds
like a good thing.
> + *
> + * As some point systemd-logind was introduced to orchestrate and delegate
> + * master as applicable. It does so by opening the fd and passing it to users
> + * while in itself logind a) does the set/drop master per users' request and
> + * b) * implicitly drops master on VT switch.
> + *
> + * Even though logind looks like the future, there are a few issues:
> + * - using it is not possible on some platforms
> + * - applications may not be updated to use it,
> + * - any client which fails to drop master* can DoS the application using
> + * logind, to a varying degree.
> + *
> + * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
> + *
> + *
> + * Here we implement the next best thing:
> + * - ensure the logind style of fd passing works unchanged, and
> + * - allow a client to drop/set master, iff it is/was master at a given
> point
> + * in time.
I understand the drop master part, because it is needed to get rid of
apps that accidentally gain DRM master because they were the first one
to open the DRM device (on a particular VT?). It could happen e.g. if a
Wayland client is inspecting DRM devices to figure what it wants to
lease while the user has VT-switched to a text-mode VT, I guess. E.g.
starting a Wayland VR compositor from a VT for whatever reason.
The set master without CAP_SYS_ADMIN part I don't understand.
> + *
> + * As a result this fixes, the following when using root-less build w/o
> logind
Why is non-root without any logind-equivalent a use case that should
work?
Why did DRM set/drop master use to require CAP_SYS_ADMIN in the first
place?
What else happens if we allow DRM set master more than just for
CAP_SYS_ADMIN?
Does this interact with DRM leasing?
Looks like drmIsMaster() should be unaffected at least:
https://patchwork.kernel.org/patch/10776525/
> + * - startx - some drivers work fine regardless
> + * - weston
> + * - various compositors based on wlroots
> + */
> +static int
> +drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
> +{
> + if (file_priv->pid == task_pid(current) && file_priv->was_master)
> + return 0;
In case a helper e.g. logind opens the device, is file_priv->pid then
referring to logind regardless of what happens afterwards?
> +
> + if (!capable(CAP_SYS_ADMIN))
> + return -EACCES;
> +
> + return 0;
> +}
> +
> int drm_setmaster_ioctl(struct drm_device *dev, void *data,
> struct drm_file *file_priv)
> {
> int ret = 0;
>
> mutex_lock(&dev->master_mutex);
> +
> + ret = drm_master_check_perm(dev, file_priv);
> + if (ret)
> + goto out_unlock;
> +
> if (drm_is_current_master(file_priv))
> goto out_unlock;
>
> @@ -229,6 +285,12 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void
> *data,
> int ret = -EINVAL;
>
> mutex_lock(&dev->master_mutex);
> +
> + ret = drm_master_check_perm(dev, file_priv);
Why does drop-master need any kind of permission check? Why could it
not be free for all?
Thanks,
pq
pgp7MKwATruw5.pgp
Description: OpenPGP digital signature
___
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
On Wed, 19 Feb 2020 at 13:27, Emil Velikov wrote:
>
> From: Emil Velikov
>
> This commit reworks the permission handling of the two ioctls. In
> particular it enforced the CAP_SYS_ADMIN check only, if:
> - we're issuing the ioctl from process other than the one which opened
> the node, and
> - we are, or were master in the past
>
> This ensures that we:
> - do not regress the systemd-logind style of DRM_MASTER arbitrator
> - allow applications which do not use systemd-logind to drop their
> master capabilities (and regain them at later point) ... w/o running as
> root.
>
> See the comment above drm_master_check_perm() for more details.
>
> v1:
> - Tweak wording, fixup all checks, add igt test
>
> Cc: Adam Jackson
> Cc: Daniel Vetter
> Cc: Pekka Paalanen
> Testcase: igt/core_setmaster/master-drop-set-user
> Signed-off-by: Emil Velikov
> ---
> drivers/gpu/drm/drm_auth.c | 62 +
> drivers/gpu/drm/drm_ioctl.c | 4 +--
> include/drm/drm_file.h | 11 +++
> 3 files changed, 75 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
> index cc9acd986c68..b26986bca271 100644
> --- a/drivers/gpu/drm/drm_auth.c
> +++ b/drivers/gpu/drm/drm_auth.c
> @@ -135,6 +135,7 @@ static int drm_set_master(struct drm_device *dev, struct
> drm_file *fpriv,
> }
> }
>
> + fpriv->was_master = (ret == 0);
> return ret;
> }
>
> @@ -179,12 +180,67 @@ static int drm_new_set_master(struct drm_device *dev,
> struct drm_file *fpriv)
> return ret;
> }
>
> +/*
> + * In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
> + * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
> + * from becoming master and/or failing to release it.
> + *
> + * At the same time, the first client (for a given VT) is _always_ master.
> + * Thus in order for the ioctls to succeed, one had to _explicitly_ run the
> + * application as root or flip the setuid bit.
> + *
> + * If the CAP_SYS_ADMIN was missing, no other client could become master...
> + * EVER :-( Leading to a) the graphics session dying badly or b) a completely
> + * locked session.
> + *
> + *
> + * As some point systemd-logind was introduced to orchestrate and delegate
> + * master as applicable. It does so by opening the fd and passing it to users
> + * while in itself logind a) does the set/drop master per users' request and
> + * b) * implicitly drops master on VT switch.
> + *
> + * Even though logind looks like the future, there are a few issues:
> + * - using it is not possible on some platforms
> + * - applications may not be updated to use it,
> + * - any client which fails to drop master* can DoS the application using
> + * logind, to a varying degree.
> + *
> + * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
> + *
> + *
> + * Here we implement the next best thing:
> + * - ensure the logind style of fd passing works unchanged, and
> + * - allow a client to drop/set master, iff it is/was master at a given
> point
> + * in time.
> + *
> + * As a result this fixes, the following when using root-less build w/o
> logind
> + * - startx - some drivers work fine regardless
> + * - weston
> + * - various compositors based on wlroots
> + */
> +static int
> +drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
> +{
> + if (file_priv->pid == task_pid(current) && file_priv->was_master)
> + return 0;
> +
> + if (!capable(CAP_SYS_ADMIN))
> + return -EACCES;
> +
> + return 0;
> +}
> +
> int drm_setmaster_ioctl(struct drm_device *dev, void *data,
> struct drm_file *file_priv)
> {
> int ret = 0;
>
> mutex_lock(&dev->master_mutex);
> +
> + ret = drm_master_check_perm(dev, file_priv);
> + if (ret)
> + goto out_unlock;
> +
> if (drm_is_current_master(file_priv))
> goto out_unlock;
>
> @@ -229,6 +285,12 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void
> *data,
> int ret = -EINVAL;
>
> mutex_lock(&dev->master_mutex);
> +
> + ret = drm_master_check_perm(dev, file_priv);
> + if (ret)
> + goto out_unlock;
> +
> + ret = -EINVAL;
> if (!drm_is_current_master(file_priv))
> goto out_unlock;
>
> diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
> index 9e41972c4bbc..73e31dd4e442 100644
> --- a/drivers/gpu/drm/drm_ioctl.c
> +++ b/drivers/gpu/drm/drm_ioctl.c
> @@ -599,8 +599,8 @@ static const struct drm_ioctl_desc drm_ioctls[] = {
> DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_SET_SAREA_CTX, drm_legacy_setsareactx,
> DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
> DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_GET_SAREA_CTX, drm_legacy_getsareactx,
> DRM_AUTH),
>
> - DRM_IOCTL_DEF(DRM_IOCTL_SET_MASTER, drm_setmaster_ioctl,
> DRM_ROOT_ONLY),
> - DRM_IOCTL_
[PATCH] drm: rework SET_MASTER and DROP_MASTER perm handling
From: Emil Velikov
This commit reworks the permission handling of the two ioctls. In
particular it enforced the CAP_SYS_ADMIN check only, if:
- we're issuing the ioctl from process other than the one which opened
the node, and
- we are, or were master in the past
This ensures that we:
- do not regress the systemd-logind style of DRM_MASTER arbitrator
- allow applications which do not use systemd-logind to drop their
master capabilities (and regain them at later point) ... w/o running as
root.
See the comment above drm_master_check_perm() for more details.
v1:
- Tweak wording, fixup all checks, add igt test
Cc: Adam Jackson
Cc: Daniel Vetter
Cc: Pekka Paalanen
Testcase: igt/core_setmaster/master-drop-set-user
Signed-off-by: Emil Velikov
---
drivers/gpu/drm/drm_auth.c | 62 +
drivers/gpu/drm/drm_ioctl.c | 4 +--
include/drm/drm_file.h | 11 +++
3 files changed, 75 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
index cc9acd986c68..b26986bca271 100644
--- a/drivers/gpu/drm/drm_auth.c
+++ b/drivers/gpu/drm/drm_auth.c
@@ -135,6 +135,7 @@ static int drm_set_master(struct drm_device *dev, struct
drm_file *fpriv,
}
}
+ fpriv->was_master = (ret == 0);
return ret;
}
@@ -179,12 +180,67 @@ static int drm_new_set_master(struct drm_device *dev,
struct drm_file *fpriv)
return ret;
}
+/*
+ * In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
+ * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
+ * from becoming master and/or failing to release it.
+ *
+ * At the same time, the first client (for a given VT) is _always_ master.
+ * Thus in order for the ioctls to succeed, one had to _explicitly_ run the
+ * application as root or flip the setuid bit.
+ *
+ * If the CAP_SYS_ADMIN was missing, no other client could become master...
+ * EVER :-( Leading to a) the graphics session dying badly or b) a completely
+ * locked session.
+ *
+ *
+ * As some point systemd-logind was introduced to orchestrate and delegate
+ * master as applicable. It does so by opening the fd and passing it to users
+ * while in itself logind a) does the set/drop master per users' request and
+ * b) * implicitly drops master on VT switch.
+ *
+ * Even though logind looks like the future, there are a few issues:
+ * - using it is not possible on some platforms
+ * - applications may not be updated to use it,
+ * - any client which fails to drop master* can DoS the application using
+ * logind, to a varying degree.
+ *
+ * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
+ *
+ *
+ * Here we implement the next best thing:
+ * - ensure the logind style of fd passing works unchanged, and
+ * - allow a client to drop/set master, iff it is/was master at a given point
+ * in time.
+ *
+ * As a result this fixes, the following when using root-less build w/o logind
+ * - startx - some drivers work fine regardless
+ * - weston
+ * - various compositors based on wlroots
+ */
+static int
+drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
+{
+ if (file_priv->pid == task_pid(current) && file_priv->was_master)
+ return 0;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
+ return 0;
+}
+
int drm_setmaster_ioctl(struct drm_device *dev, void *data,
struct drm_file *file_priv)
{
int ret = 0;
mutex_lock(&dev->master_mutex);
+
+ ret = drm_master_check_perm(dev, file_priv);
+ if (ret)
+ goto out_unlock;
+
if (drm_is_current_master(file_priv))
goto out_unlock;
@@ -229,6 +285,12 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void
*data,
int ret = -EINVAL;
mutex_lock(&dev->master_mutex);
+
+ ret = drm_master_check_perm(dev, file_priv);
+ if (ret)
+ goto out_unlock;
+
+ ret = -EINVAL;
if (!drm_is_current_master(file_priv))
goto out_unlock;
diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
index 9e41972c4bbc..73e31dd4e442 100644
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -599,8 +599,8 @@ static const struct drm_ioctl_desc drm_ioctls[] = {
DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_SET_SAREA_CTX, drm_legacy_setsareactx,
DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_GET_SAREA_CTX, drm_legacy_getsareactx,
DRM_AUTH),
- DRM_IOCTL_DEF(DRM_IOCTL_SET_MASTER, drm_setmaster_ioctl, DRM_ROOT_ONLY),
- DRM_IOCTL_DEF(DRM_IOCTL_DROP_MASTER, drm_dropmaster_ioctl,
DRM_ROOT_ONLY),
+ DRM_IOCTL_DEF(DRM_IOCTL_SET_MASTER, drm_setmaster_ioctl, 0),
+ DRM_IOCTL_DEF(DRM_IOCTL_DROP_MASTER, drm_dropmaster_ioctl, 0),
DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_ADD_CTX, drm_legacy_addctx,
DRM_AUTH|DRM_ROOT_ONLY),
DRM_LEG
