Received: by 10.223.164.221 with SMTP id h29csp2149672wrb; Tue, 17 Oct 2017 16:41:33 -0700 (PDT) X-Received: by 10.159.234.3 with SMTP id be3mr13529091plb.5.1508283693835; Tue, 17 Oct 2017 16:41:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508283693; cv=none; d=google.com; s=arc-20160816; b=ylvnBgxm6mPKM3uwIzEpicMkIW7Dj43umt3guBk6MAjztqp47rnTXBmVRxVmky63c3 p5r/v39IzswlNcPZiCBgw3mv1YqaKxDrgAoO6Lr6A+pCOK9o2gNS2ibvu2iTdnU3APR5 o+Q3tpO3a9vDTROHdpTdUwaWuQRtWD1SjCp7eBeCfgKvzZOntIewekOnhmDHuKq1QJLN gl0D0x2lH/hPZquNNJydC6dt2h0w3WiTfmOvpjhcgmsD2+QMJOlqf1+7+emevUUEcdy9 p9NKAYW9BmJmEf9LRasQezzDE1oOqr7sgmEJLtHQ03O/ofqKDjmViLIVfACKAESU//Zv Uy0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=MvlMLetR2Cn4DELN5OYadsMvEoxmk72MU/F1uBwm9vg=; b=EouGiYCbQpQm/uLwQiYLcHRLnqYfHSvdDb94zQgHPsxVhs5oCLcolaLL/niYJpGmX0 jb/nLYMX3/hXZGgaPG8cMoRq135AbmQHKIpc7syFjCq7Lq+nHXhVLGpmIS0HLpMba8in yt/5p+m55EfAqN6Gz6ubkBMCwTLFfxHrVYIl2AURWka3KYtQP2D0V2afUrrqtVK1SUid weBTRu0YdS9NDMeBdQohf5HoKBRFU3kBxw6xpxvSUHWkRGijmEDbWMscMW8LNyVF1hMb aFguSbb/HyTcr8CsmE4uIN8zdQyIImpDPSxFdHjbNhVEWCMH4GGLXgHFA6rjMEJO4aIN BI2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ITzJK1z/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l8si5979850pgs.829.2017.10.17.16.41.19; Tue, 17 Oct 2017 16:41:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ITzJK1z/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761843AbdJQMjF (ORCPT + 99 others); Tue, 17 Oct 2017 08:39:05 -0400 Received: from mail-qt0-f176.google.com ([209.85.216.176]:55252 "EHLO mail-qt0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756433AbdJQMjD (ORCPT ); Tue, 17 Oct 2017 08:39:03 -0400 Received: by mail-qt0-f176.google.com with SMTP id z19so3081920qtg.11 for ; Tue, 17 Oct 2017 05:39:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MvlMLetR2Cn4DELN5OYadsMvEoxmk72MU/F1uBwm9vg=; b=ITzJK1z/7Lqu4QfnCjhezX5DGbUie+zSrlqQueNzPIgo2RUZasAHmf0UCwtSQnBVgI NO8845+C4cdw8jQp1Tzr0qEuKwLKsBfGgYEYdVZrAm8Hcu9A6QmenIP4Y1ovIP3DvbO7 uzwBfUSQ/Bc1CbsmvLFCsebOmU/CD+E22QQCw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MvlMLetR2Cn4DELN5OYadsMvEoxmk72MU/F1uBwm9vg=; b=fd7ztrjaU9+YEHQpoZTmniERtgf0AwJ4uIbQAPPs/skU+F4p1ZEsHnl1BWeZPE5BUN s6nGMpQSo7t0eTmxAS9YQFN1AcPMkD1nUajbAk1QtAA5eT7A7mHOaPDZCvZikYZQrnzZ HLUp5V2pzZdPrymLn/++v+D64jLzmImsuVFWh8VnGLh72YoDAugCHUBuOUz1O1QKkwvY 83SfCqwTJyhP01/qqFqtbzyej9k6Lu2L2ox6zi3qWeozvKKpVIZlq1hqONkniLo8msRi ERHGD9shJ6ZYtQqoexitqqF4vvBP2Kym3UNkvxF9u+3V3oVJ0JDtQ7lZ/ql5oZNP0i3+ xiPA== X-Gm-Message-State: AMCzsaXKZn9XUtRfffhPguHHYRM0IRu2dm/JputcKCosaTPiWe2A1zHZ woMMvQPVAbwPHj7dy2kyYhG4bAoJwTwKLih+AEqTCQ== X-Google-Smtp-Source: AOwi7QBiW9likSru3hczoBAl/uQm5mRbXH1gqJ5ZZ45de7mvCqrzZ02vOdYFLG2BnMPzf4K28kz//+JRbXH3pCH7tFY= X-Received: by 10.200.4.29 with SMTP id v29mr19950905qtg.76.1508243942669; Tue, 17 Oct 2017 05:39:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.88.101 with HTTP; Tue, 17 Oct 2017 05:39:02 -0700 (PDT) In-Reply-To: <2a9246e0-eafa-7812-6cf4-2482ff1ed158@redhat.com> References: <1506518409-16887-3-git-send-email-benjamin.gaignard@linaro.org> <2e15edc2-a17f-3930-7d5b-4b5b7d2e0a4d@redhat.com> <20171003164849.rcdgez6lbpmq5llt@sirena.org.uk> <2417c969-357f-d5d9-153a-2180d09b0dc6@redhat.com> <20171003230830.GA132839@sspatil-desktop.mtv.corp.google.com> <20171004101720.ob5f467tro7agpcz@sirena.co.uk> <20171009220858.zwbguqkamzmswqcq@sirena.co.uk> <20171010091151.rfdsphstboubm7ps@sirena.co.uk> <2a9246e0-eafa-7812-6cf4-2482ff1ed158@redhat.com> From: Benjamin Gaignard Date: Tue, 17 Oct 2017 14:39:02 +0200 Message-ID: Subject: Re: [PATCH v5 2/2] staging: ion: create one device entry per heap To: Laura Abbott Cc: Mark Brown , Sandeep Patil , driverdevel , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , "dri-devel@lists.freedesktop.org" , Linux Kernel Mailing List , Riley Andrews , linux-api@vger.kernel.org, Sumit Semwal , Dan Carpenter Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2017-10-17 0:09 GMT+02:00 Laura Abbott : > On 10/10/2017 02:11 AM, Mark Brown wrote: >> On Mon, Oct 09, 2017 at 05:10:37PM -0700, Laura Abbott wrote: >>> On 10/09/2017 03:08 PM, Mark Brown wrote: >>>> On Mon, Oct 09, 2017 at 02:25:47PM -0700, Laura Abbott wrote: >> >>>>> Anyway, to move this forward I think we need to see a proof of concept >>>>> of using selinux to protect access to specific heaps. >> >>>> Aren't Unix permissions enough with separate files or am I >>>> misunderstanding what you're looking to see a proof of concept for? >> >>> The goal is to be able to restrict heap access to certain services >>> and selinux groups on Android so straight unix permissions aren't >>> sufficient. >> >> Oh, there's Android users for this? The users I was aware of were >> non-Android. Though even so I'd have thought that given that SELinux is >> a superset of Unix file permissions it ought to be sufficient to be able >> to use them. I'd been thinking people were suggesting SELinux as a >> replacement for file permissions, using the single file and the greater >> capabilities of SELinux. >> > Unix file permissions are necessary but not sufficient, they > can be used separately. Mostly what I want to see before > merging this is an example that splitting the Ion heaps provides > more protection than just keeping /dev/ion. > To give you an example on my system I have cma regions and so 2 heaps. One is for video decoding/encoding usage and one is dedicated to display. The goal is to be sure to have enough memory for each devices With only one /dev/ion nothing (except heap id mask) prohibed one video apllication to use the cma region dedicated to display. With one device per heaps I could change the permissions to be sure that only display have access to the correct heap. In android init.rc file I will have to change chmod 0666 /dev/ion chown system graphics /dev/ion to something like chmod 0666 /dev/ion1 chown system graphics /dev/ion1 chmod 0666 /dev/ion2 chown system media /dev/ion2 Android SEpolicy is defined like that allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; which means that apps could have access to /dev/ion with multiple devices we can imagine to protect some heap of being used by the apps, for example like this allow { appdomain -isolated_app } ion_device0:chr_file {open ioctl}; allow { system } ion_device1:chr_file {open ioctl}; allow { media } ion_device2:chr_file {open ioctl}; Benjamin > Thanks, > Laura From 1581476276437205558@xxx Tue Oct 17 04:08:26 +0000 2017 X-GM-THRID: 1579699119100728687 X-Gmail-Labels: Inbox,Category Forums