On Wed, 30 Jan 2019 23:32:37 +0100, Mark Brown wrote: > > On Wed, Jan 30, 2019 at 01:41:37PM +0100, Jaroslav Kysela wrote: > > This patchset contains the anonymous dup implementation with permissions > > checking for the ALSA's PCM interface in kernel to enable the restricted > > DMA sound buffer sharing for the restricted tasks. > > > > The code was tested through qemu and it seems to be pretty stable. > > > > The initial tinyalsa implementation can be found here: > > > > https://github.com/perexg/tinyalsa/commits/anondup > > > > The filtering might be refined. It depends on the real requirements. > > Perhaps, we may create more ioctl groups. Any comments are more than > > welcome. > > My understanding based on some off-list discussion is that the Android > security people are going to see anything that involves passing more > than a block of memory (and in particular anything that gives access to > the sound APIs) as a problem. That's obviously going to be an issue for > anything O_APPEND based. My understanding is that this is fundamentally > a risk mitigation thing - by not having any of the sound kernel > interfaces available to the applications affected there's no possibility > that any problems in the sound code can cause security issues. The patch 2 implements exactly that kind of access restriction, so that the passed fd won't do anything else than wished. If we want to be super-conservative, the implementation could be even simpler -- instead of filtering, we may pass a minimum fd ops that contains only mmap and release for the anon-dup fd... thanks, Takashi _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
