On Wed, Jun 15, 2016 at 12:07 AM, Florian Weimer <fweimer@xxxxxxxxxx> wrote: > On 06/15/2016 04:11 AM, Andrew Lutomirski wrote: > >> I *strongly* disagree here. The xdg-app folks seem to be doing a >> pretty good job with their sandbox. The kernel attack surface is >> reduced considerably, as is the attack surface against the user via >> ptrace and filesystem access. If Wayland is available (which is >> should be!) then so is the attack surface against X. > > > What about the direct access to DRI device nodes? Why isn't this a problem > that reduces the effectiveness of the sandbox considerably? I think the theory is only allow access to render-nodes, which can only access other processes buffers via dma-buf import (ie. other process had to pass you the file-descriptor, which would be how buffer sharing w/ wayland compositor works) Not completely sure off the top of my head what the current state of things are w/ g-s wayland and use of render nodes vs legacy everyone-open /dev/dri/card0 and do dri2 auth dance.. but render-nodes plus dma-buf is the way to isolate various users of gpu as best as possible. BR, -R > Thanks, > Florian > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
