On Wed, Jun 15, 2016 at 12:07 AM, Florian Weimer <fweimer(a)redhat.com> wrote:
On 06/15/2016 04:11 AM, Andrew Lutomirski wrote:
> I *strongly* disagree here. The xdg-app folks seem to be doing a
> pretty good job with their sandbox. The kernel attack surface is
> reduced considerably, as is the attack surface against the user via
> ptrace and filesystem access. If Wayland is available (which is
> should be!) then so is the attack surface against X.
What about the direct access to DRI device nodes? Why isn't this a problem
that reduces the effectiveness of the sandbox considerably?
I think the theory is only allow access to render-nodes, which can
only access other processes buffers via dma-buf import (ie. other
process had to pass you the file-descriptor, which would be how buffer
sharing w/ wayland compositor works)
Not completely sure off the top of my head what the current state of
things are w/ g-s wayland and use of render nodes vs legacy
everyone-open /dev/dri/card0 and do dri2 auth dance.. but
render-nodes plus dma-buf is the way to isolate various users of gpu
as best as possible.
BR,
-R
> Thanks,
> Florian
>
> --
> devel mailing list
> devel(a)lists.fedoraproject.org
>
https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org