sbeattiebryceh, cnd, and mlankhorst: I published bryceh's revert of the 10.2 and 10.3 through precise-security00:08
brycehthanks sbeattie 00:10
brycehsbeattie, hmm I just got a reject message back on 10.600:14
brycehsbeattie, guessing it's because it went through -security so the -proposed one can be canceled?00:20
RAOFmlankhorst: Hey, how much do you know about drm authentication stuff?01:56
mlankhorstnot much, X server handles most of it, why?01:57
mlankhorstoh right it probably screws up on prime02:12
mlankhorstfor some reason it only works there if i set /dev/dri/* to 666 even if im a member of video02:13
RAOFmlankhorst: More I mean “what stops me from flinking random numbers until I hit upon the framebuffer/other juicy buffers and then screen cap everyone else's session from my user's logged in session?”02:20
mlankhorsterm a handle to a bo is mapped per file02:23
RAOFBut you can retrieve that bo from the global name, right?02:26
RAOFVia such magic as nouveau_bo_wrap and such.02:29
mlankhorstin prime?02:29
RAOFIn general.02:29
mlankhorstdoubt it, anyhow I think X is partly responsible for security as well02:30
RAOFFrom talking with airlied it's tied up with drm master, but I can't see how that's actually implemented in drivers/gpu/drm/*02:30
mlankhorstdrm_gem probably02:32
RAOFYeah; it's all protected with DRM_AUTH.02:32
RAOFBut *everything's* got DRM_AUTH.02:33
RAOFHm. Unless dropping master revokes that auth; but then I don't think the X server or clients reauth on VT switch in, so I don't think that's it.02:33
mlankhorstI'm not sure it would matter, if you get the fd you probably already have enough privilege 02:39
RAOFBut you can pass across fds.02:39
RAOFmesa & X have different drm fds but share buffers.02:40
mlankhorstnot sure02:48
RAOFOk. At least that makes two of us :)02:48
mlankhorstprime is simply fd passing though02:50
RAOFMy concern is with the system-compositor; it breaks some assumptions that may have been there providing security (the currently logged-in user is drm master, when you switch user they drop master, only the currently logged in user is in the active vt, etc)02:51
mlankhorstso try to write an exploit to steal someone else's bo :-)02:52
RAOFAh. The experimentalist approach!02:54
RAOFI prefer to start with the “ask someone who knows what the hell is going on” approach; it makes everything easier ☺02:55
mlankhorstoh with nouveau it's usually easier to start with RE'ing02:56
RAOFWell I feel that the nouveau code could do with a clean up if the easiest way to understand it is to reverse-engineer the open source driver :)02:57
RAOFAnd this (should be?) is in the common drm infrastructure, anyway.02:57
mlankhorstRAOF: I don't mean RE'ing nouveau02:58
mlankhorstthe other implementation02:58
mlankhorstyou're the kind of person that sees 2 and 2 and thinks 2 right?02:59
mlankhorstalthough sometimes RE'ing is hard, I tried to RE aaronp but he didn't manage to get me the answer whether nvidia supports y swizzling or not :(03:02
RAOFAh. So, it seems the answer to “how does drm auth prevent inactive users from snooping on the active user's buffers” is “it doesn't”. Hurrah!03:40
sbeattiebryceh: yeah, correct, I had them dump the one in the unaccepted proposed queue, since I'd already pushed it through -security (and by extension, -updates)06:20
mlankhorstRAOF: figures, I guess having access to the nodes means you can probably look at the screen too :-)08:34
RAOFmlankhorst: You shouldn't, though.08:35
RAOF*Particularly* when you're not actually active.08:35
mlankhorststill beats nvidia in security, though08:35
RAOFWell, yes. You get to screen-scrape other users, rather than escalate-to-root :)08:36
mlankhorstupgrading everything to xorg 1.13 has proven to be a royal pain..08:43
mlankhorstI guess with all the major ones done I should focus on bumping all input drivers first08:48
mlankhorstRAOF: did we upload new libdrm yet?08:59
seb128mlankhorst, hey, do you feel better today?09:02
mlankhorstslightly :)09:03
mlankhorstmilk + honey helps a lot09:03
seb128mlankhorst, not sure if you saw by bryce did an upload reverting the previous SRUs fixes to workaround the segfault09:04
mlankhorstnot against the sickness but I can at least talk some again09:04
mlankhorstyeah I saw09:04
mlankhorstI'll put it on the blueprint to fix09:04
seb128mlankhorst, it would still be good to debug the real issue and add those backs with the segfault fix, but it's less of an hurry with the revert in09:04
seb128mlankhorst, thanks09:05
mlankhorstwow ppa buildqueue is empty? Time to saturate it09:07
mlankhorst >:D09:11
mlankhorstRAOF: tiem for.. https://launchpad.net/~mlankhorst/+archive/x-1.1309:13
mlankhorsthow do I get arm enabled in my ppa though?09:15
mlankhorsthttps://launchpad.net/ubuntu/quantal/+source/x11proto-randr/1.4.0+git20101207.0d32bb07-0ubuntu2 argh........ why call it 1.4.0 when it isn't O_O09:21
mlankhorstRAOF: what should we do about binary driver breakage with x1.13?09:37
=== jibel_ is now known as jibel
mlankhorstyikes, seems my testing machine is dying11:07
mlankhorstsata errors and mounting r/o is probably not good..11:10
ogra_heh, xinerama is funny ... if i move glxgears around on a three hearded two cards multi screen xinerama setup, i get 13:18
ogra_8146 frames in 5.0 seconds = 1629.200 FPS13:18
ogra_579 frames in 5.0 seconds = 115.800 FPS13:19
ogra_the latter is the low power card indeed ... 13:19
ogra_if i play a game that actually spreads fullscreen across both cards/all monitors ... does xorg take an average value between the two cards or would i be capped to the lowest framerate ?13:20
mlankhorstI didn't know xinerama did acceleration13:24
mlankhorstcapped to lowest most likely13:24
ogra_well, i can play Xonotic with ~70fps at 5760x1080 ... 13:25
ogra_(just tried)13:25
ogra_(with effects set to ultra)13:26
ogra_that somewhat looks like it uses an average or so 13:27
mlankhorstnvidia drivers?13:32
ogra_sadly they drop randr and composite as soon as you switch on xinerama ... 13:38
mlankhorstI didn't know it even supported xinerama, most of the time it will cause loss of all acceleration13:40
ogra_well, given that radeon doesnt work at all in this config, i'm happy to at least have the fglrx stuff13:43
mlankhorstok input rebuilds, looks like 37 video drivers will need a version bump..14:52
mlankhorstRAOF/bryceh: I doubt this can be automated, so could one of you maybe do it? I prepared nouveau, ati and cirrus in debian-experimental, so would just be a simple merge for those..14:57
mlankhorstmodesetting lacks any acceleration so it will work, I'll try uploading the rest to my ppa to see which works and which doesn't14:58
mlankhorstoh right intel too14:59
mlankhorsthttps://launchpad.net/~mlankhorst/+archive/x-1.13/+packages all those xserver-xorg-video-* need an update..15:15
=== shadeslayer_ is now known as evilshadeslayer
=== yofel_ is now known as yofel
SarvattRAOF: here's the latest version of your out of tree stuff (with src/mesa/Makefile.am fixes added to fix i386 builds..) if it helps any http://bazaar.launchpad.net/~xorg-edgers/xorg-server/xorg-pkg-tools/view/head:/hooks/mesa-out-of-tree.patch18:47
Sarvattdarn thing needs refreshing every day :)18:48
Sarvattsaw you mention rebasing the patches the other day18:50
ricotzSarvatt, hey, you are still having fun with mesa :\19:00
Sarvattricotz: yeah up to 6 commits that needed backporting to fix the build from this mornings checkout19:01
Sarvatthopefully this one works :)19:01
ricotzhmm, aics it doesnt :\19:01
ricotz8.1~git20120717.f42e601c-0ubuntu0sarvatt5 19:02
Sarvatt6 is already uploaded19:02
ricotzok ;)19:02
Sarvattwith http://cgit.freedesktop.org/mesa/mesa/commit/?id=bf484024b944a452e9022a1098313663e0028b2919:02
ricotzyou can upload a clean tarball too, just rename the version and tar.gz according to 8.1~git20120717.rX.f42e601c19:03
ricotzi meant 8.1~git20120717.rX.xxxxxxxx19:04
Sarvattif this doesn't build either i will19:04
ricotzi hope it works19:06
Sarvattricotz: doesn't look promising http://tinderbox.x.org/builds/2012-07-17-0023/logs/libGL/#build19:12
Sarvatt..and it failed in gbm19:13
ricotzSarvatt, this looks fixes in master19:16
Sarvattyeah i'm doing a new tarball now19:16
Sarvattsucks the dev release gets +50 build score :)19:33
ricotzquantal rules :P19:35
ricotzSarvatt, damn symbols, but is looks good19:38
Sarvattricotz: ARGH :)19:39
ricotzlooks like an abi break19:39
mlankhorstSarvatt: if you had upload rights you could fixup the entire x1.13 stuff :-)19:41
Sarvattits not like we can upload it until the nvidia blob works :P19:42
Sarvattgot a month or more19:42
mlankhorstSarvatt: true but have to update every single package that depends on video abi since rebuild won' t work with this big abi breakage19:43
mlankhorstI will probably just upload the major ones to my repo for now19:44
mlankhorsteg cirrus, vmware, ati, nouveau, modesetting, intel19:44
ricotzmlankhorst, there are still some patch-rewrites needed too19:45
mlankhorstricotz: I uploaded xorg-server just fine though?19:46
ricotzmlankhorst, i meant of the video drivers ;)19:46
ricotzlike for xserver-xorg-video-tdfx19:47
mlankhorstoh sure19:47
ricotzand most of them are broken due the xaa removal19:47
jcristauare there still any users for the tdfx driver?19:48
ricotzno idea19:48
Sarvattlooks like its just tdfx broken against xserver 1.12 today, was a bunch more broken yesterday before the releases19:49
Sarvattricotz: it probably builds fine against 1.13?19:50
ricotzSarvatt, upstream is fine, but the debian patches break it19:50
ricotzi might confused this with another package19:51
mlankhorstSarvatt: airlied updated all xorg driver upstreams and in most cases released a new version so it builds19:52
brycehmlankhorst, what's up?22:02
brycehah new drivers, yes may be worth resyncing22:03
mlankhorstyeah the thing is with debian freeze it's hard to upload there first22:04
mlankhorstso that means literally uploading every driver to ubuntu directly..22:04
brycehwill debian be pulling them in at some point within the next month?22:05
brycehI think, unless something's broken, there is not a rush to get them in; we'll need to poke all the drivers anyway if/when we pull in the newer xserver.22:06
brycehmlankhorst, maybe debian would be willing to pull the newer versions into experimental, and then we could sync from there?22:16
mlankhorstbryceh: maybe, anyone here has the capability to upload to experimental?22:17
brycehmlankhorst, tjaalton might.22:17
mlankhorstok I' ll try him :)22:41
mlankhorstdon't know if he's back from vacation yet though22:41
RAOFmlankhorst: The way we deal with binary driver breakage in 1.13 is an email to various lists saying “we're about to break the binary drivers until we get a new set of blobs”23:07

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!