Re: [alsa-devel] [RFC PATCH] ALSA: core: Add DMA share buffer support

From: Takashi Iwai
Date: Fri Jan 25 2019 - 08:19:28 EST


On Wed, 23 Jan 2019 13:46:58 +0100,
Leo Yan wrote:
>
> Hi all,
>
> On Wed, Jan 23, 2019 at 12:58:51PM +0100, Takashi Iwai wrote:
> > On Tue, 22 Jan 2019 21:25:35 +0100,
> > Mark Brown wrote:
> > >
> > > On Mon, Jan 21, 2019 at 03:15:43PM +0100, Jaroslav Kysela wrote:
> > > > Dne 21.1.2019 v 13:40 Mark Brown napsal(a):
> > >
> > > > > It was the bit about adding more extended permission control that I was
> > > > > worried about there, not the initial O_APPEND bit. Indeed the O_APPEND
> > > > > bit sounds like it might also work from the base buffer sharing point of
> > > > > view, I have to confess I'd not heard of that feature before (it didn't
> > > > > come up in the discussion when Eric raised this in Prague).
> > >
> > > > With permissions, I meant to make possible to restrict the file
> > > > descriptor operations (ioctls) for the depending task (like access to
> > > > the DMA buffer, synchronize it for the non-coherent platforms and maybe
> > > > read/write the actual position, delay etc.). It should be relatively
> > > > easy to implement using the snd_pcm_file structure.
> > >
> > > Right, that's what I understood you to mean. If you want to have a
> > > policy saying "it's OK to export a PCM file descriptor if it's only got
> > > permissions X and Y" the security module is going to need to know about
> > > the mechanism for setting those permissions. With dma_buf that's all a
> > > bit easier as there's less new stuff, though I've no real idea how much
> > > of a big deal that actually is.
> >
> > There are many ways to implement such a thing, yeah. If we'd need an
> > implementation that is done solely in the sound driver layer, I can
> > imagine to introduce either a new ioctl or an open flag (like O_EXCL)
> > to specify the restricted sharing. That is, a kind of master / slave
> > model where only the master is allowed to manipulate the stream while
> > the slave can mmap, read/write and get status.
>
> I am lacking security related knowledge, especially for SELinux.
> So only can give background information but not sure if it's really
> helpful for discussion.
>
> Android web page [1] give some information for this:
>
> "The shared memory is referenced using a file descriptor that is
> generated by the ALSA driver. If the file descriptor is directly
> associated with a /dev/snd/ driver file, then it can be used by the
> AAudio service in SHARED mode. But the descriptor cannot be passed to
> the client code for EXCLUSIVE mode. The /dev/snd/ file descriptor
> would provide too broad of access to the client, so it is blocked by
> SELinux.
>
> In order to support EXCLUSIVE mode, it is necessary to convert the
> /dev/snd/ descriptor to an anon_inode:dmabuffer file descriptor.
> SELinux allows that file descriptor to be passed to the client. It can
> also be used by the AAudioService.
>
> An anon_inode:dmabuffer file descriptor can be generated using the
> Android Ion memory library."
>
> So we work out dmabuf driver for audio buffer, the audio buffer will
> be exported and attached by using dma-buf framework; then we can
> return one file descriptor which is generated by dma-buf and this
> file descriptor is bound with anon inode based on dma-buf core code.
>
> If we directly use the device node /dev/snd/ as file descriptor, even
> though we specify flag O_EXCL when open it, but it still is not an
> anon inode file descriptor. Thus this is not safe enough and will be
> blocked by SELinux. On the other hand, this patch wants to use
> dma-buf framework to provide file descriptor for the audio buffer, and
> this audio buffer can be one of mutiple audio buffers in the system
> and it can be shared to any audio client program.
>
> Again, I have no less knowledge for SELinux so sorry if I introduce any
> noise at here. And very appreciate any comments for this.

Hrm, it sounds like a workaround just to bypass SELinux check...

The sound server can open another PCM stream with O_APPEND, and pass
that fd to the client, too?


thanks,

Takashi