DRM buffer permission model is inadequate

Bug #1025525 reported by Chris Halse Rogers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Currently the DRM permission model is roughly “if you've got drm master you can access any buffer and if you don't have drm master you can't access any of master's buffers”. This is ok for the existing fast-user-switching method of spawning a new X server and then VT switching, as the old server drops master and the new server becomes the drm master.

Actually, the above is a lie: currently the DRM permission model is ‘if you're authenticated you can access any buffer any client has shared’, and X proxies drm auth for all clients. VT switching drops master, but dropping master does not drop authentication, so this does not prevent inactive users from snooping on shared buffers.

For the system compositor this is a bit worse, as the root window of the user sessions will be shared buffers.

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1025525

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: bot-stop-nagging
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → High
Changed in linux (Ubuntu):
status: Confirmed → Triaged
information type: Public → Public Security
Pat Hamilton (pat6)
information type: Public Security → Private Security
Revision history for this message
Chris Halse Rogers (raof) wrote :

This is actually resolved now; dmabufs are available for use (and are in broad use), and they're capability- (ie: fd-) based.

Changed in linux (Ubuntu):
status: Triaged → Fix Released
Alex Murray (alexmurray)
information type: Private Security → Public Security
Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.