All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel Vetter <daniel@ffwll.ch>
To: Emil Velikov <emil.l.velikov@gmail.com>
Cc: ML dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH 0/3] drm: tweak permission handling
Date: Thu, 20 Dec 2018 15:43:33 +0100	[thread overview]
Message-ID: <20181220144333.GJ21184@phenom.ffwll.local> (raw)
In-Reply-To: <CACvgo539RS_XhzvoiNkqqJaW3AXz9ALc_eq6qX_zThh=G5UyXQ@mail.gmail.com>

On Thu, Dec 20, 2018 at 12:56:46PM +0000, Emil Velikov wrote:
> On Wed, 19 Dec 2018 at 20:37, Daniel Vetter <daniel@ffwll.ch> wrote:
> >
> > On Wed, Dec 19, 2018 at 09:30:46PM +0100, Daniel Vetter wrote:
> > > On Wed, Dec 19, 2018 at 07:22:44PM +0000, Emil Velikov wrote:
> > > > Hi all,
> > > >
> > > > This series relaxes some permission handling we have in core.
> > > >
> > > > The first patch, swaps the DRM_ROOT_ONLY to DRM_MASTER on DROP_MASTER
> > > > ioctls. Thus any application can drop privileges just after SET_MASTER
> > > > and not worry about elevating them, solely for DROP_MASTER.
> > > >
> > > > The last commit, admittedly works around userspace bugs. Although it's
> > > > far better than the "run as root" approach that people have been using.
> > > >
> > > > It has the extra side effect of allowing some userspace (but not all)
> > > > to use vgem without any modifications ;-)
> > > >
> > > > Would be great if this series is checked through the Intel GFX trybot
> > > > but I'm not sure how to do that.
> > >
> > > Just cc intel-gfx@lists.freedesktop.org.
> Thanks will do.
> 
> >
> > Even better would be a few igts to exercise this stuff. We have some basic
> > auth tests, but not much, so running this through the intel CI won't test
> > much at all.
> 
> Right, I was thinking about adding something like the following:
> - open the primary node - /dev/dri/cardX
> - ensure it's not authenticated - by default the first client (or one
> run as root) is
> - issue a trivial ioctl that's annotated as DRM_AUTH
> - fail if the ioctl returns with -EACCESS
> 
> Since IGT is usually the first client (or sometimes ran as root), I'm
> not quite sure how to achieve the second point.
> Any ideas are greatly appreciated.

Open fd a 2nd time, before closing the first one. For examples see the
various core_* tests, specically core_auth.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

      reply	other threads:[~2018-12-20 14:43 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-19 19:22 [PATCH 0/3] drm: tweak permission handling Emil Velikov
2018-12-19 19:22 ` [PATCH 1/3] drm: change DROP_MASTER permissions to allow DRM_MASTER Emil Velikov
2018-12-19 20:36   ` Daniel Vetter
2018-12-20 13:50     ` Emil Velikov
2018-12-20 14:45       ` Daniel Vetter
2018-12-20 19:09         ` Emil Velikov
2018-12-19 19:22 ` [PATCH 2/3] drm: annotate drm_core_check_feature() dev arg. as const Emil Velikov
2018-12-19 20:35   ` Daniel Vetter
2018-12-19 19:22 ` [PATCH 3/3] drm: allow render capable master with DRM_AUTH ioctls Emil Velikov
2018-12-19 20:34   ` Daniel Vetter
2018-12-20 15:16     ` Emil Velikov
2018-12-20 15:34       ` Daniel Vetter
2018-12-19 20:30 ` [PATCH 0/3] drm: tweak permission handling Daniel Vetter
2018-12-19 20:37   ` Daniel Vetter
2018-12-20 12:56     ` Emil Velikov
2018-12-20 14:43       ` Daniel Vetter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181220144333.GJ21184@phenom.ffwll.local \
    --to=daniel@ffwll.ch \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=emil.l.velikov@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.