On Sun, Aug 25, 2013 at 11:12:39PM +0200, David Herrmann wrote:
DRM_IOCTL_MODE_GETFB is used to retrieve information about a given framebuffer ID. It is a read-only helper and was thus declassified for unprivileged access in:
commit a14b1b42477c5ef089fcda88cbaae50d979eb8f9 Author: Mandeep Singh Baines mandeep.baines@gmail.com Date: Fri Jan 20 12:11:16 2012 -0800
drm: remove master fd restriction on mode setting gettersHowever, beside width, height and stride information, DRM_IOCTL_MODE_GETFB also passes back a handle to the underlying gem-bo of the framebuffer. This handle allows users to mmap() it and read or write into it. Obviously, this should be restricted to DRM-Master.
With the current setup, *any* process with access to /dev/dri/card0 (which means any process with access to hardware-accelerated rendering) can access the current screen framebuffer and modify it ad libitum.
For backwards-compatibility reasons we want to keep the DRM_IOCTL_MODE_GETFB call unprivileged. Besides, it provides quite useful information regarding screen setup. So we simply test whether the caller is the current DRM-Master and if not, we return 0 as handle, which is always invalid. A following DRM_IOCTL_GEM_CLOSE on this handle will fail with EINVAL, but we accept this. Users shouldn't test for errors during GEM_CLOSE, anyway. And it is still better than a failing MODE_GETFB call.
Hmm, I do have userspace that takes advantage of this already for reads. So if you can make it a DRM_MASTER || cappable(SYS_ADMID) privileged operation instead, I can live with that. -Chris