Allow more syscalls for nvidia-vaapi-driver, possibly behind a pref
Categories
(Core :: Security: Process Sandboxing, enhancement, P2)
Tracking
()
People
(Reporter: rmader, Unassigned, NeedInfo)
References
(Blocks 2 open bugs)
Details
There's a new VAAPI wrapper imlementation for Nvidia: https://github.com/elFarto/nvidia-vaapi-driver#firefox
It says it need the syscall 41,49,50,332 (socket, bind, listen, statx).
Jed, does that look sensible to you? It also says: "This is not recommended for general use as it reduces security" and indeed sounds somewhat dangerous.
Comment 1•1 year ago
|
||
I'll need to find out more about what's going on here. I really don't want to allow sockets if there's any way to avoid it; I see that connect
isn't in the list, so it's possible that this isn't trivially broken, but with datagram sockets sendmsg
can send to any destination even with an unconnected socket and that's also something I've tried to avoid allowing where possible. If it's a case of Nvidia blobs that try to use sockets but degrade gracefully if socket
returns an error, then that's fine; we already have issues like that in content processes. We definitely won't allow statx
with arbitrary arguments; currently we'll reject it with ENOSYS
and ideally the caller would fall back to an older syscall which will be replaced with a file broker request, so I need to find out why that's not working. (Supporting statx
directly in the broker would be possible, but it would be a nontrivial amount of complexity.)
Comment 2•1 year ago
•
|
||
Background:
At the moment, the project's readme suggests setting security.sandbox.content.level to 0.
jrmuizel recommended rather setting MOZ_DISABLE_RDD_SANDBOX=1 than disabling the content process sandbox:
even running in the rdd with the sandbox completely disabled wouldn't be the worst option in the world
definitely better than disabling the sandbox in the content processes
So we recommended media.rdd-ffmpeg.enabled=true + MOZ_DISABLE_RDD_SANDBOX=1 in this issue:
https://github.com/elFarto/nvidia-vaapi-driver/issues/6#issuecomment-1005630454
If the required syscalls could be behind a security.sandbox.rdd.nvidia-highly-experimental-vaapi pref, it would allow users of that project to not disable any sandbox.
Updated•1 year ago
|
Updated•11 months ago
|
Description
•