Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp1343590lqh; Mon, 6 May 2024 05:11:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWy1cd7s2u2Z88kno99cfb6fJ4yD7ECI9+C7nTV98qz8ByKgOOTSKiAc76F7CqFt9j5OxqOLvFSAw/TQmvNoz+nWWZWqsvJZWG9hHYxAQ== X-Google-Smtp-Source: AGHT+IFDTCQ/3XHqtfmWMyb1WGAvoatb2Bs9AKQFaw9cMJ3+PKZTk9Haf8aKxkLfuCxdVi4F533O X-Received: by 2002:a92:c542:0:b0:36c:6062:8787 with SMTP id a2-20020a92c542000000b0036c60628787mr13541723ilj.26.1714997484136; Mon, 06 May 2024 05:11:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714997484; cv=pass; d=google.com; s=arc-20160816; b=KNXw9qEy+tv85PVH+8qjP8AyJjXKiPJQUicZKQQmD6kqE4mLpGDm5/nIsxXLxRvZIB ZPFt8JOKVFhmvBzMAjrxhHQsTFICzoj91u2VLIUi7JnrnaGonzvaEGKDPG8xgw1zOzh7 9kTwonduCOXBwb5D+adUyvi3jTmLOl98bDl2lj/ZgPj7nCV/qz/7Dulf88Vsnom35evU JEC7F5lN5lS3aO0bNfg3IRjkJTY1svVtGSwDn0qmD9mgqtTyrqMPsKBq/9vc4sH/rGzB 4/rwdyq+CGSvoUnvxWhtoaw5WiLM6XG/GX90agx4FFaSgHR+EQyfeOoKdibyugog7Bj+ sMuw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=WSfOAhrFUm53Kqin9+YfTRe0LHiAcFIiQAaaSKoiif8=; fh=hUTxShumJ0ZT/edxabV4ys8gOAeTPoXLMSdDgiqCe00=; b=CiSpf7MhiWObv/V8GUeV0JyMy8hJXddgKpdu++8cXBkdEk+20pNCyzOCtU1XoLK/LQ 6idZ3OsizPLvVqZnccwMhgRiT8n3hrsUVPlcW3d0gvs8N1FyRvhgcNy9NRVJd63gvO3l fl40ZqcXRQKT8ReODXmxKSJGsqhihACqxzjHHanGfVG1F4P22FYtHmhl0kggD44qzx7D BYRvwGvAFYiZg7ouxpGiCL2N0RvSH+yxEcsxzLhp76eKuRVpyIgtzXC1t7mKTacMY6xM Eg6ACx0axbz3oTv304iBABP1cPwXiRDJT523FLECXuZPBiTsJ0JrCNHRZDIZJLAMajaq EB2w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Hizm2dS6; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-169775-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169775-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id bf17-20020a656d11000000b0060b5ab269e5si8378155pgb.759.2024.05.06.05.11.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 May 2024 05:11:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-169775-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Hizm2dS6; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-169775-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169775-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id AB475281BE0 for ; Mon, 6 May 2024 12:11:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 556E514389E; Mon, 6 May 2024 12:11:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Hizm2dS6" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 07F31143867 for ; Mon, 6 May 2024 12:11:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714997474; cv=none; b=sPXpcQS+XigUEZyTMydELBRrxO2L89C5Z8wn56SVWbj0o2EVC/lA/LP1r0aDTwYn/rVpsio6YZq1DzO/+3J6FXXPalZZurv9jhdFzORdEW4Bk1tRdFwoSqLhaG6abLy6B0depiFLHXdm+cCsE5UGxn8Q8ny6abAWiBG6wzXQJ0k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714997474; c=relaxed/simple; bh=hMaHou4gqCFuSSxSjTamh579wUtltQG2UlKG9gC+8FY=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=ns0kM8mo6HK1/9PCwvPz6Z0qo5L6YOA1f3oUWGbTmBJTjW6uhVAdv9LBwTW/hFhbjeZwzZ17fgbCpezut8kQuEPA2lC23lJaUOEDQXjf2fq8RLi0bhVuyNvheCfgLbqz+Qp8Tl3Z68K4vohUqGLSWqFbUCcRts1m/oXMVriwukA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Hizm2dS6; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1714997472; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WSfOAhrFUm53Kqin9+YfTRe0LHiAcFIiQAaaSKoiif8=; b=Hizm2dS6hKYoDQlDBdSDPIkBi55wp9uhmGe6AQne2GMVjCGxKJBhvMQK2fX7xC5lV3u8Ke EA3mGfJ+T0RH8AucaHl3Git8okk8+08KVqTn1dSQG0ZreayZmYmnKJPQn+3fCvMCw5OBsd hr7QuR0kJPOu+Cp6J4fE1n4W6CmDpxg= Received: from mail-lj1-f200.google.com (mail-lj1-f200.google.com [209.85.208.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-16-tqALBAtuO6G7e6nvnMwDuw-1; Mon, 06 May 2024 08:11:10 -0400 X-MC-Unique: tqALBAtuO6G7e6nvnMwDuw-1 Received: by mail-lj1-f200.google.com with SMTP id 38308e7fff4ca-2e262d63c70so20004081fa.3 for ; Mon, 06 May 2024 05:11:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714997469; x=1715602269; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WSfOAhrFUm53Kqin9+YfTRe0LHiAcFIiQAaaSKoiif8=; b=jfm5lbAZSPe5iWgaukYq15jXjbFlp7HfSER35YiXp5OLyP700SF8RXmyeNhM2vLG6Q EbDJCLMS9dAAKBSg4yZJvPtoYO4noonCAzcWCKsIXrZ5Du6BSm/8+cK8XYmQN0bk9sG4 E8LQywavcbJ18G5hFcfBJMSZwJ4nzk/cKXJLW4AnQSnX+piapet+LPQvdxvYbHxGlvFX GdtywjUbv3a7yHqYMQIsMblVm+I4JWGEfYMv40GP3wsErauHudERiLzidiQoMdp4h23e c+F00J33LHRIwQF0lDYjNCYC2mxTkEg/EEru4PzeFvbAFkTOsCAZ4B/XenyMYAiqyh6t RcLA== X-Forwarded-Encrypted: i=1; AJvYcCWvBJGB9HreHs7YYxXnzxIMlUwq4qYuGMrg3MOhy0TxNjk3B/rSBtN2hSZDVjECpnY7ln+kUXz7kWxKBVvqTEmEK2O2yIkHmfcpEWUD X-Gm-Message-State: AOJu0YzOsabCns/o25v4hLHC0jGaE7c0+BvUJnSR03b+gnWwfpA3Jdoe 5ihImXSKyPPutr20HA08rP3xO1W/1osLXSHMFwfgdwSi3Bt2mu1MT2Wgf0y+zJ8d/mL+LA3UKdv jLqRjGgvRoc5i8WkuHOX6A74tPzmBnJmEzx38j8ZJNg8e1f1s4O6WnXtSrXwiEQ== X-Received: by 2002:a05:6512:3f21:b0:51f:5d1a:b320 with SMTP id y33-20020a0565123f2100b0051f5d1ab320mr8765208lfa.68.1714997469262; Mon, 06 May 2024 05:11:09 -0700 (PDT) X-Received: by 2002:a05:6512:3f21:b0:51f:5d1a:b320 with SMTP id y33-20020a0565123f2100b0051f5d1ab320mr8765187lfa.68.1714997468807; Mon, 06 May 2024 05:11:08 -0700 (PDT) Received: from [10.40.98.157] ([78.108.130.194]) by smtp.gmail.com with ESMTPSA id l12-20020a1709066b8c00b00a59c0ecd559sm2003340ejr.112.2024.05.06.05.11.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 May 2024 05:11:08 -0700 (PDT) Message-ID: Date: Mon, 6 May 2024 14:11:07 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Safety of opening up /dev/dma_heap/* to physically present users (udev uaccess tag) ? To: Maxime Ripard Cc: Sumit Semwal , Benjamin Gaignard , Brian Starkey , John Stultz , "T.J. Mercier" , =?UTF-8?Q?Christian_K=C3=B6nig?= , Lennart Poettering , Robert Mader , Sebastien Bacher , Linux Media Mailing List , "dri-devel@lists.freedesktop.org" , linaro-mm-sig@lists.linaro.org, Linux Kernel Mailing List , Bryan O'Donoghue , Milan Zamazal , Andrey Konovalov References: <20240506-dazzling-nippy-rhino-eabccd@houat> Content-Language: en-US From: Hans de Goede In-Reply-To: <20240506-dazzling-nippy-rhino-eabccd@houat> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi Maxime, On 5/6/24 2:05 PM, Maxime Ripard wrote: > Hi, > > On Mon, May 06, 2024 at 01:49:17PM GMT, Hans de Goede wrote: >> Hi dma-buf maintainers, et.al., >> >> Various people have been working on making complex/MIPI cameras work OOTB >> with mainline Linux kernels and an opensource userspace stack. >> >> The generic solution adds a software ISP (for Debayering and 3A) to >> libcamera. Libcamera's API guarantees that buffers handed to applications >> using it are dma-bufs so that these can be passed to e.g. a video encoder. >> >> In order to meet this API guarantee the libcamera software ISP allocates >> dma-bufs from userspace through one of the /dev/dma_heap/* heaps. For >> the Fedora COPR repo for the PoC of this: >> https://hansdegoede.dreamwidth.org/28153.html > > For the record, we're also considering using them for ARM KMS devices, > so it would be better if the solution wasn't only considering v4l2 > devices. > >> I have added a simple udev rule to give physically present users access >> to the dma_heap-s: >> >> KERNEL=="system", SUBSYSTEM=="dma_heap", TAG+="uaccess" >> >> (and on Rasperry Pi devices any users in the video group get access) >> >> This was just a quick fix for the PoC. Now that we are ready to move out >> of the PoC phase and start actually integrating this into distributions >> the question becomes if this is an acceptable solution; or if we need some >> other way to deal with this ? >> >> Specifically the question is if this will have any negative security >> implications? I can certainly see this being used to do some sort of >> denial of service attack on the system (1). This is especially true for >> the cma heap which generally speaking is a limited resource. > > There's plenty of other ways to exhaust CMA, like allocating too much > KMS or v4l2 buffers. I'm not sure we should consider dma-heaps > differently than those if it's part of our threat model. Ack. >> But devices tagged for uaccess are only opened up to users who are >> physcially present behind the machine and those can just hit >> the powerbutton, so I don't believe that any *on purpose* DOS is part of >> the thread model. > > How would that work for headless devices? The uaccess tag solution does not work for headless devices, but it also should not hurt any headless scenarios. Headless devices could use something like the video group solution (dma_heap group?) which Raspberry Pi is using and them make sure that any services which need access run as a user in that group. This can co-exist with uaccess tags since those use ACLs not classic Unix permissions. Regards, Hans