1. 07 Sep, 2013 2 commits
    • David Herrmann's avatar
      Input: evdev - add EVIOCREVOKE ioctl · c7dc6573
      David Herrmann authored
      If we have multiple sessions on a system, we normally don't want
      background sessions to read input events. Otherwise, it could capture
      passwords and more entered by the user on the foreground session. This is
      a real world problem as the recent XMir development showed:
        http://mjg59.dreamwidth.org/27327.html
      
      We currently rely on sessions to release input devices when being
      deactivated. This relies on trust across sessions. But that's not given on
      usual systems. We therefore need a way to control which processes have
      access to input devices.
      
      With VTs the kernel simply routed them through the active /dev/ttyX. This
      is not possible with evdev devices, though. Moreover, we want to avoid
      routing input-devices through some dispatcher-daemon in userspace (which
      would add some latency).
      
      This patch introduces EVIOCREVOKE. If called on an evdev fd, this revokes
      device-access irrecoverably for that *single* open-file. Hence, once you
      call EVIOCREVOKE on any dup()ed fd, all fds for that open-file will be
      rather useless now (but still valid compared to close()!). This allows us
      to pass fds directly to session-processes from a trusted source. The
      source keeps a dup()ed fd and revokes access once the session-process is
      no longer active.
      Compared to the EVIOCMUTE proposal, we can avoid the CAP_SYS_ADMIN
      restriction now as there is no way to revive the fd again. Hence, a user
      is free to call EVIOCREVOKE themself to kill the fd.
      
      Additionally, this ioctl allows multi-layer access-control (again compared
      to EVIOCMUTE which was limited to one layer via CAP_SYS_ADMIN). A middle
      layer can simply request a new open-file from the layer above and pass it
      to the layer below. Now each layer can call EVIOCREVOKE on the fds to
      revoke access for all layers below, at the expense of one fd per layer.
      
      There's already ongoing experimental user-space work which demonstrates
      how it can be used:
        http://lists.freedesktop.org/archives/systemd-devel/2013-August/012897.htmlSigned-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      c7dc6573
    • Dmitry Torokhov's avatar
      Merge branch 'next' into for-linus · 07176b98
      Dmitry Torokhov authored
      Merge first round of changes for 3.12 merge window.
      07176b98
  2. 29 Aug, 2013 6 commits
  3. 26 Aug, 2013 8 commits
  4. 25 Aug, 2013 4 commits
  5. 15 Aug, 2013 3 commits
  6. 13 Aug, 2013 15 commits
  7. 13 Jul, 2013 1 commit
  8. 07 Jul, 2013 1 commit