Re: [PATCH 0/2] ALSA: pcm: implement the anonymous dup v3

[Takashi Iwai <tiwai@suse.de>]

On Wed, 30 Jan 2019 23:32:37 +0100,
Mark Brown wrote:
> 
> On Wed, Jan 30, 2019 at 01:41:37PM +0100, Jaroslav Kysela wrote:
> > This patchset contains the anonymous dup implementation with permissions
> > checking for the ALSA's PCM interface in kernel to enable the restricted
> > DMA sound buffer sharing for the restricted tasks.
> > 
> > The code was tested through qemu and it seems to be pretty stable.
> > 
> > The initial tinyalsa implementation can be found here:
> > 
> >   https://github.com/perexg/tinyalsa/commits/anondup
> > 
> > The filtering might be refined. It depends on the real requirements.
> > Perhaps, we may create more ioctl groups. Any comments are more than
> > welcome.
> 
> My understanding based on some off-list discussion is that the Android
> security people are going to see anything that involves passing more
> than a block of memory (and in particular anything that gives access to
> the sound APIs) as a problem.  That's obviously going to be an issue for
> anything O_APPEND based.  My understanding is that this is fundamentally
> a risk mitigation thing - by not having any of the sound kernel
> interfaces available to the applications affected there's no possibility
> that any problems in the sound code can cause security issues.

The patch 2 implements exactly that kind of access restriction, so
that the passed fd won't do anything else than wished.

If we want to be super-conservative, the implementation could be even
simpler -- instead of filtering, we may pass a minimum fd ops that
contains only mmap and release for the anon-dup fd...


thanks,

Takashi