Closed
Bug 1308851
Opened 8 years ago
Closed 8 years ago
WebGL on NVIDIA's proprietary driver is blocked by seccomp-bpf policy
Categories
(Core :: Security: Process Sandboxing, defect)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
FIXED
mozilla52
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | fixed |
People
(Reporter: gcp, Unassigned)
References
Details
Attachments
(1 file)
https://bugzilla.mozilla.org/show_bug.cgi?id=1289718#c63 https://bugzilla.mozilla.org/show_bug.cgi?id=1296345#c2 Driver Version 4.5.0 NVIDIA 370.28 on OS: Linux 4.7.7-1-MANJARO
|
||
Comment 1•8 years ago
|
||
Could it be the reason why some WebGL demos are failing in recent Nightlies? This is in particular affecting some WebAssembly demos like http://webassembly.github.io/demo, which we would like to keep up and running for all the Firefox Nightly users (webassembly is enabled only on nightly, which is the most popular demo we're all advertising). If I understand correctly comments linked in comment 0, this is linux only, at least?
Flags: needinfo?(gpascutto)
|
Reporter | |
Comment 2•8 years ago
|
||
This is Linux only, and depends on the specific driver.
Flags: needinfo?(gpascutto)
|
|
||
Comment 3•8 years ago
|
||
Thanks. Is there a way to disable it dynamically, for testing purposes?
|
|
||
Comment 4•8 years ago
|
||
Also, when you say "this specific driver", do you mean all the binary drivers provided by nvidia? I'm using 4.5.0 NVIDIA 352.63 (linux too), fwiw.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(gpascutto)
|
|
Reporter | |
Comment 5•8 years ago
|
||
(In reply to Benjamin Bouvier [:bbouvier] from comment #3) > Thanks. Is there a way to disable it dynamically, for testing purposes? Read the announcement posted a few days ago in moz.dev.platform, "Linux content sandbox tightened".
Flags: needinfo?(gpascutto)
|
|
Reporter | |
Comment 6•8 years ago
|
||
Sandbox: SandboxBroker: denied op=0 rflags=0 perms=0 path=/etc/nvidia/nvidia-application-profiles-rc.d/ for pid=31884 error="No such file or directory" Sandbox: SandboxBroker: denied op=0 rflags=0 perms=0 path=/etc/nvidia/nvidia-application-profiles-rc.d/ for pid=31884 error="No such file or directory" Sandbox: SandboxBroker: denied op=0 rflags=2 perms=3 path=/dev/nvidiactl for pid=31884 error="No such file or directory" The /etc access should be harmless, I don't actually have this file. It's trying to write directly to that /dev/nvidiactl device from the content process. I guess we'll have to whitelist this until the gfx people get more stuff into a separate process.
|
|
Reporter | |
Updated•8 years ago
|
Summary: WebGL1 and WebGL2 not working with seccomp-bpf filesystem policy → WebGL on NVIDIA's proprietary driver is blocked by seccomp-bpf policy
|
|
Reporter | |
Comment 7•8 years ago
|
||
There's more: Sandbox: SandboxBroker: denied op=0 rflags=2000002 perms=3 path=/dev/nvidia-modeset for pid=6540 error="No such file or directory" Sandbox: SandboxBroker: denied op=0 rflags=2 perms=3 path=/dev/nvidia-modeset for pid=6540 error="No such file or directory" Sandbox: SandboxBroker: denied op=0 rflags=2 perms=3 path=/dev/nvidia0 for pid=6540 error="No such file or directory"
|
|
Reporter | |
Comment 8•8 years ago
|
||
Sandbox: SandboxBroker: denied op=6 rflags=777 perms=3 path=/tmp for pid=13407 error="No such file or directory" Sandbox: SandboxBroker: denied op=6 rflags=777 perms=3 path=/home for pid=13407 error="No such file or directory" Sandbox: SandboxBroker: denied op=2 rflags=0 perms=0 path=/home/morbo/.nv/ for pid=13407 error="No such file or directory" Sandbox: SandboxBroker: denied op=6 rflags=700 perms=0 path=/home/morbo/.nv/ for pid=13407 error="No such file or directory" These don't seem to be required to get WebGL to work. Two questions though: a) Why it's trying to create /tmp even though it already exists - it shouldn't be doing that in the first place. This might confuse the driver. b) What it's trying to store in ~/.nv. We might be breaking shader caches or something like that, IIRC we have similar problems on Windows.
| Comment hidden (mozreview-request) |
|
||
Comment 10•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8799466 [details] Bug 1308851 - Open up devices for NVIDIA proprietary driver in the sandbox. https://reviewboard.mozilla.org/r/84636/#review83238 ::: security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp:143 (Diff revision 1) > } > + > + // Bug 1308851: NVIDIA proprietary driver when using WebGL > + policy->AddPath(rdwr, "/dev/nvidiactl"); > + policy->AddPath(rdwr, "/dev/nvidia-modeset"); > + policy->AddPath(rdwr, "/dev/nvidia0"); Would this (`nvidia0`) work as intended on multi-GPU systems? (Is that even a thing that people would run Firefox on? I don't actually know.) AddPrefix might help.
Attachment #8799466 -
Flags: review?(jld) → review+
| Comment hidden (mozreview-request) |
|
||
Comment 12•8 years ago
|
||
Pushed by gpascutto@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/510cf5f0ecca Open up devices for NVIDIA proprietary driver in the sandbox. r=jld
|
||
Comment 13•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/510cf5f0ecca
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•