On 03/13/2017 02:29 PM, Rob Clark wrote: > On Mon, Mar 13, 2017 at 5:09 PM, Laura Abbott <labbott@xxxxxxxxxx> wrote: >>> Hm, we might want to expose all the heaps as individual >>> /dev/ion_$heapname nodes? Should we do this from the start, since >>> we're massively revamping the uapi anyway (imo not needed, current >>> state seems to work too)? >>> -Daniel >>> >> >> I thought about that. One advantage with separate /dev/ion_$heap >> is that we don't have to worry about a limit of 32 possible >> heaps per system (32-bit heap id allocation field). But dealing >> with an ioctl seems easier than names. Userspace might be less >> likely to hardcode random id numbers vs. names as well. > > > other advantage, I think, is selinux (brought up elsewhere on this > thread).. heaps at known fixed PAs are useful for certain sorts of > attacks so being able to restrict access more easily seems like a good > thing > > BR, > -R > Some other kind of filtering (BPF/LSM/???) might work as well (http://kernsec.org/files/lss2015/vanderstoep.pdf ?) The fixed PA issue is a larger problem. We're never going to be able to get away from "this heap must exist at address X" problems but the location of CMA in general should be randomized. I haven't actually come up with a good proposal to this though. I'd like for Ion to be a framework for memory allocation and not security exploits. Hopefully this isn't a pipe dream. Thanks, Laura
