X11 still uses /dev/mem ?

[Nix]

On 22 Feb 2010, Adam Jackson verbalised:

> On Sat, 2010-02-20 at 15:00 +0000, Nix wrote:
>> Am I right in assuming that pretty much all of these are UMS-related? 
>> i.e., in KMS the only thing now stopping us running X as non-root at
>> long last is the input-device-revocation problem?
>
> That, and device permissions on /dev/dri/whatever, and that GEM objects
> are globally visible so you're still trusting that multiple X servers
> don't intentionally snoop on each other.

Device permissions are fixable with one udev rule / chown / chmod /
whatever. The 'intentionally snooping X servers' problem only allows
users to spy on other users (and perhaps bash their 3D state), but
doesn't allow arbitrary code execution as root unless there are more
bugs allowing users to instruct the GPU to DMA stuff to arbitrary parts
of system RAM (in which case we have a security hole even in the absence
of multiple users).

So even if the GEM problem is not fixed, this reduces a possible-
root-if-the-X-server-is-buggy hole to a possible-root-if-the-kernel-is-
buggy hole --- and since we will always have the kernel in our
vulnerability surface, it seems to me that even with GEM fixed, a
non-root X would be a good thing to have.

Input device revocation still seems important though :( a shame there's
no workaround, even if a hacky one :/ we don't realy need generalized
revoke() for this, do we? Just revoke() on a limited class of devices?

(disclaimer: short of coffee, may be talking nonsense as a result)