On Wed, May 22, 2024 at 03:34:52PM +0200, Maxime Ripard wrote:
Hi,
On Mon, May 06, 2024 at 03:38:24PM GMT, Daniel Vetter wrote:
On Mon, May 06, 2024 at 02:05:12PM +0200, Maxime Ripard wrote:
Hi,
On Mon, May 06, 2024 at 01:49:17PM GMT, Hans de Goede wrote:
Hi dma-buf maintainers, et.al.,
Various people have been working on making complex/MIPI cameras work OOTB with mainline Linux kernels and an opensource userspace stack.
The generic solution adds a software ISP (for Debayering and 3A) to libcamera. Libcamera's API guarantees that buffers handed to applications using it are dma-bufs so that these can be passed to e.g. a video encoder.
In order to meet this API guarantee the libcamera software ISP allocates dma-bufs from userspace through one of the /dev/dma_heap/* heaps. For the Fedora COPR repo for the PoC of this: https://hansdegoede.dreamwidth.org/28153.html
For the record, we're also considering using them for ARM KMS devices, so it would be better if the solution wasn't only considering v4l2 devices.
I have added a simple udev rule to give physically present users access to the dma_heap-s:
KERNEL=="system", SUBSYSTEM=="dma_heap", TAG+="uaccess"
(and on Rasperry Pi devices any users in the video group get access)
This was just a quick fix for the PoC. Now that we are ready to move out of the PoC phase and start actually integrating this into distributions the question becomes if this is an acceptable solution; or if we need some other way to deal with this ?
Specifically the question is if this will have any negative security implications? I can certainly see this being used to do some sort of denial of service attack on the system (1). This is especially true for the cma heap which generally speaking is a limited resource.
There's plenty of other ways to exhaust CMA, like allocating too much KMS or v4l2 buffers. I'm not sure we should consider dma-heaps differently than those if it's part of our threat model.
So generally for an arm soc where your display needs cma, your render node doesn't. And user applications only have access to the later, while only the compositor gets a kms fd through logind. At least in drm aside from vc4 there's really no render driver that just gives you access to cma and allows you to exhaust that, you need to be a compositor with drm master access to the display.
Which means we're mostly protected against bad applications, and that's not a threat the "user physically sits in front of the machine accounts for", and which giving cma access to everyone would open up. And with flathub/snaps/... this is very much an issue.
So you need more, either:
- cgroups limits on dma-buf and dma-buf heaps. This has been bikeshedded for years and is just not really moving.
For reference, are you talking about:
https://lore.kernel.org/r/20220502231944.3891435-1-tjmercier@google.com
Or has there been a new version of that recently?
I think the design feedback from Tejun has changed to that system memory should be tracked with memcg instead (but that kinda leaves the open of what to do with cma), and only device memory be tracked with a separate cgroups controller.
But I'm also not sure whether that would actually solve all the tracking/isolation requirements people tossed around or just gives us something that wont get the job done.
Either way, yes I think that was the most recent code. -Sima