[rfc] VIA dri and security.
Thomas Hellström
unichrome at shipmail.org
Mon Oct 11 01:42:20 PDT 2004
Hi, Keith!
> Thomas Hellström wrote:
>> Hi!
>>
>> Sorry for the double posting. This is a thing that needs to be discussed
>> in both communities.
>>
>> The via DRM has started it's journey into the linus kernel, but the 3D
>> driver / DDX still suffers
>> from a security flaw:
>>
>> When the MMIO area is exported read-write it is assumed possible for a
>> dri client to manipulate registers to
>> blit otherwise protected areas of the system memory to video memory. It
>> is the DDX that tells the DRM whether to export the MMIO area read-only
>> or read-write. The OpenGL 3D driver unichrome_dri.so currently needs
>> write access to this area, until someone fixes it up to use register
>> writing ioctls now present in the via drm.
>>
>> The obvious fix is for the DDX to tell DRM to export the MMIO area as
>> read-only. In this way a normal user would get a segfault when trying to
>> run accelerated OpenGL, while it would work as root.
>
>
> This sort of thing has been discussed in the past, going all the way back
> to
> UtahGLX, which had a root-only direct rendering system of sorts.
>
> The trouble with doing this, and this was well established in UtahGLX, is
> that
> if you make a high-performance path available only to root, you get people
> running as root when they ordinarily wouldn't do so in order to access
> that
> performance path. Specifically, you're encouraging people to run
> binary-only
> games & toys with full superuser permissions.
>
> This is actually worse than a DRM model with theoretical insecurities -
> under
> that model a program would have to be cleverly crafted to expose and
> exploit
> the insecurity. Under this "run games as root" model, all of a sudden
> games
> have to be cleverly crafted and audited to *avoid* exposing
> insecurities...
>
> Nobody has done a security audit on q3 that would allow you to feel
> comfortable running it as root, to my knowledge...
>
> Keith
>
Agreed.
So what is your actual suggestion?
Export read-write as default or, as proposed, export read-write when
"AllowInsecureDRI" is enabled in the X server config?
Regards
Thomas.
More information about the xorg
mailing list