Closed Bug 1308851 Opened 6 years ago Closed 6 years ago

WebGL on NVIDIA's proprietary driver is blocked by seccomp-bpf policy

Categories

(Core :: Security: Process Sandboxing, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox52 --- fixed

People

(Reporter: gcp, Unassigned)

References

Details

Attachments

(1 file)

Blocks: 1289718
Could it be the reason why some WebGL demos are failing in recent Nightlies? This is in particular affecting some WebAssembly demos like http://webassembly.github.io/demo, which we would like to keep up and running for all the Firefox Nightly users (webassembly is enabled only on nightly, which is the most popular demo we're all advertising).

If I understand correctly comments linked in comment 0, this is linux only, at least?
Flags: needinfo?(gpascutto)
This is Linux only, and depends on the specific driver.
Flags: needinfo?(gpascutto)
Thanks. Is there a way to disable it dynamically, for testing purposes?
Also, when you say "this specific driver", do you mean all the binary drivers provided by nvidia? I'm using 4.5.0 NVIDIA 352.63 (linux too), fwiw.
Flags: needinfo?(gpascutto)
(In reply to Benjamin Bouvier [:bbouvier] from comment #3)
> Thanks. Is there a way to disable it dynamically, for testing purposes?

Read the announcement posted a few days ago in moz.dev.platform, "Linux content sandbox tightened".
Flags: needinfo?(gpascutto)
Sandbox: SandboxBroker: denied op=0 rflags=0 perms=0 path=/etc/nvidia/nvidia-application-profiles-rc.d/ for pid=31884 error="No such file or directory"
Sandbox: SandboxBroker: denied op=0 rflags=0 perms=0 path=/etc/nvidia/nvidia-application-profiles-rc.d/ for pid=31884 error="No such file or directory"
Sandbox: SandboxBroker: denied op=0 rflags=2 perms=3 path=/dev/nvidiactl for pid=31884 error="No such file or directory"

The /etc access should be harmless, I don't actually have this file.

It's trying to write directly to that /dev/nvidiactl device from the content process. I guess we'll have to whitelist this until the gfx people get more stuff into a separate process.
Summary: WebGL1 and WebGL2 not working with seccomp-bpf filesystem policy → WebGL on NVIDIA's proprietary driver is blocked by seccomp-bpf policy
There's more:

Sandbox: SandboxBroker: denied op=0 rflags=2000002 perms=3 path=/dev/nvidia-modeset for pid=6540 error="No such file or directory"
Sandbox: SandboxBroker: denied op=0 rflags=2 perms=3 path=/dev/nvidia-modeset for pid=6540 error="No such file or directory"
Sandbox: SandboxBroker: denied op=0 rflags=2 perms=3 path=/dev/nvidia0 for pid=6540 error="No such file or directory"
Sandbox: SandboxBroker: denied op=6 rflags=777 perms=3 path=/tmp for pid=13407 error="No such file or directory"
Sandbox: SandboxBroker: denied op=6 rflags=777 perms=3 path=/home for pid=13407 error="No such file or directory"
Sandbox: SandboxBroker: denied op=2 rflags=0 perms=0 path=/home/morbo/.nv/ for pid=13407 error="No such file or directory"
Sandbox: SandboxBroker: denied op=6 rflags=700 perms=0 path=/home/morbo/.nv/ for pid=13407 error="No such file or directory"

These don't seem to be required to get WebGL to work. Two questions though:

a) Why it's trying to create /tmp even though it already exists - it shouldn't be doing that in the first place. This might confuse the driver.
b) What it's trying to store in ~/.nv. We might be breaking shader caches or something like that, IIRC we have similar problems on Windows.
Comment on attachment 8799466 [details]
Bug 1308851 - Open up devices for NVIDIA proprietary driver in the sandbox.

https://reviewboard.mozilla.org/r/84636/#review83238

::: security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp:143
(Diff revision 1)
>    }
> +
> +  // Bug 1308851: NVIDIA proprietary driver when using WebGL
> +  policy->AddPath(rdwr, "/dev/nvidiactl");
> +  policy->AddPath(rdwr, "/dev/nvidia-modeset");
> +  policy->AddPath(rdwr, "/dev/nvidia0");

Would this (`nvidia0`) work as intended on multi-GPU systems?  (Is that even a thing that people would run Firefox on?  I don't actually know.)  AddPrefix might help.
Attachment #8799466 - Flags: review?(jld) → review+
Pushed by gpascutto@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/510cf5f0ecca
Open up devices for NVIDIA proprietary driver in the sandbox. r=jld
https://hg.mozilla.org/mozilla-central/rev/510cf5f0ecca
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.