Android-x86
Fork
Spenden

  • R/O
  • HTTP
  • SSH
  • HTTPS

kernel: Commit

kernel


Commit MetaInfo

Revisionebf8b0462c25da747c0c0c1ed03941b46852fa7c (tree)
Zeit2020-05-12 12:43:22
AutorEmil Velikov <emil.velikov@coll...>
CommiterChih-Wei Huang

Log Message

drm: rework SET_MASTER and DROP_MASTER perm handling

This commit reworks the permission handling of the two ioctls. In
particular it enforced the CAP_SYS_ADMIN check only, if:

- we're issuing the ioctl from process other than the one which opened

the node, and

- we are, or were master in the past

This ensures that we:

- do not regress the systemd-logind style of DRM_MASTER arbitrator
- allow applications which do not use systemd-logind to drop their

master capabilities (and regain them at later point) ... w/o running as
root.

See the comment above drm_master_check_perm() for more details.

v1:

- Tweak wording, fixup all checks, add igt test

v2:

- Add a few more comments, grammar nitpicks.

Cc: Adam Jackson <ajax@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Pekka Paalanen <ppaalanen@gmail.com>
Testcase: igt/core_setmaster/master-drop-set-user
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200319172930.230583-1-emil.l.velikov@gmail.com

Ändern Zusammenfassung

Diff

--- a/drivers/gpu/drm/drm_auth.c
+++ b/drivers/gpu/drm/drm_auth.c
@@ -135,6 +135,7 @@ static int drm_set_master(struct drm_device *dev, struct drm_file *fpriv,
135135 }
136136 }
137137
138+ fpriv->was_master = (ret == 0);
138139 return ret;
139140 }
140141
@@ -179,12 +180,72 @@ out_err:
179180 return ret;
180181 }
181182
183+/*
184+ * In the olden days the SET/DROP_MASTER ioctls used to return EACCES when
185+ * CAP_SYS_ADMIN was not set. This was used to prevent rogue applications
186+ * from becoming master and/or failing to release it.
187+ *
188+ * At the same time, the first client (for a given VT) is _always_ master.
189+ * Thus in order for the ioctls to succeed, one had to _explicitly_ run the
190+ * application as root or flip the setuid bit.
191+ *
192+ * If the CAP_SYS_ADMIN was missing, no other client could become master...
193+ * EVER :-( Leading to a) the graphics session dying badly or b) a completely
194+ * locked session.
195+ *
196+ *
197+ * As some point systemd-logind was introduced to orchestrate and delegate
198+ * master as applicable. It does so by opening the fd and passing it to users
199+ * while in itself logind a) does the set/drop master per users' request and
200+ * b) * implicitly drops master on VT switch.
201+ *
202+ * Even though logind looks like the future, there are a few issues:
203+ * - some platforms don't have equivalent (Android, CrOS, some BSDs) so
204+ * root is required _solely_ for SET/DROP MASTER.
205+ * - applications may not be updated to use it,
206+ * - any client which fails to drop master* can DoS the application using
207+ * logind, to a varying degree.
208+ *
209+ * * Either due missing CAP_SYS_ADMIN or simply not calling DROP_MASTER.
210+ *
211+ *
212+ * Here we implement the next best thing:
213+ * - ensure the logind style of fd passing works unchanged, and
214+ * - allow a client to drop/set master, iff it is/was master at a given point
215+ * in time.
216+ *
217+ * Note: DROP_MASTER cannot be free for all, as an arbitrator user could:
218+ * - DoS/crash the arbitrator - details would be implementation specific
219+ * - open the node, become master implicitly and cause issues
220+ *
221+ * As a result this fixes the following when using root-less build w/o logind
222+ * - startx
223+ * - weston
224+ * - various compositors based on wlroots
225+ */
226+static int
227+drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
228+{
229+ if (file_priv->pid == task_pid(current) && file_priv->was_master)
230+ return 0;
231+
232+ if (!capable(CAP_SYS_ADMIN))
233+ return -EACCES;
234+
235+ return 0;
236+}
237+
182238 int drm_setmaster_ioctl(struct drm_device *dev, void *data,
183239 struct drm_file *file_priv)
184240 {
185241 int ret = 0;
186242
187243 mutex_lock(&dev->master_mutex);
244+
245+ ret = drm_master_check_perm(dev, file_priv);
246+ if (ret)
247+ goto out_unlock;
248+
188249 if (drm_is_current_master(file_priv))
189250 goto out_unlock;
190251
@@ -229,6 +290,12 @@ int drm_dropmaster_ioctl(struct drm_device *dev, void *data,
229290 int ret = -EINVAL;
230291
231292 mutex_lock(&dev->master_mutex);
293+
294+ ret = drm_master_check_perm(dev, file_priv);
295+ if (ret)
296+ goto out_unlock;
297+
298+ ret = -EINVAL;
232299 if (!drm_is_current_master(file_priv))
233300 goto out_unlock;
234301
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -601,8 +601,8 @@ static const struct drm_ioctl_desc drm_ioctls[] = {
601601 DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_SET_SAREA_CTX, drm_legacy_setsareactx, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
602602 DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_GET_SAREA_CTX, drm_legacy_getsareactx, DRM_AUTH),
603603
604- DRM_IOCTL_DEF(DRM_IOCTL_SET_MASTER, drm_setmaster_ioctl, DRM_ROOT_ONLY),
605- DRM_IOCTL_DEF(DRM_IOCTL_DROP_MASTER, drm_dropmaster_ioctl, DRM_ROOT_ONLY),
604+ DRM_IOCTL_DEF(DRM_IOCTL_SET_MASTER, drm_setmaster_ioctl, 0),
605+ DRM_IOCTL_DEF(DRM_IOCTL_DROP_MASTER, drm_dropmaster_ioctl, 0),
606606
607607 DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_ADD_CTX, drm_legacy_addctx, DRM_AUTH|DRM_ROOT_ONLY),
608608 DRM_LEGACY_IOCTL_DEF(DRM_IOCTL_RM_CTX, drm_legacy_rmctx, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
--- a/include/drm/drm_file.h
+++ b/include/drm/drm_file.h
@@ -201,6 +201,17 @@ struct drm_file {
201201 bool writeback_connectors;
202202
203203 /**
204+ * @was_master:
205+ *
206+ * This client has or had, master capability. Protected by struct
207+ * &drm_device.master_mutex.
208+ *
209+ * This is used to ensure that CAP_SYS_ADMIN is not enforced, if the
210+ * client is or was master in the past.
211+ */
212+ bool was_master;
213+
214+ /**
204215 * @is_master:
205216 *
206217 * This client is the creator of @master. Protected by struct
Show on old repository browser