Open Bug 1748460 Opened 2 years ago Updated 11 months ago

Allow more syscalls for nvidia-vaapi-driver, possibly behind a pref

Categories

(Core :: Security: Process Sandboxing, enhancement, P2)

x86_64
Linux
enhancement

Tracking

()

People

(Reporter: rmader, Unassigned, NeedInfo)

References

(Blocks 2 open bugs)

Details

There's a new VAAPI wrapper imlementation for Nvidia: https://github.com/elFarto/nvidia-vaapi-driver#firefox

It says it need the syscall 41,49,50,332 (socket, bind, listen, statx).

Jed, does that look sensible to you? It also says: "This is not recommended for general use as it reduces security" and indeed sounds somewhat dangerous.

Flags: needinfo?(jld)

I'll need to find out more about what's going on here. I really don't want to allow sockets if there's any way to avoid it; I see that connect isn't in the list, so it's possible that this isn't trivially broken, but with datagram sockets sendmsg can send to any destination even with an unconnected socket and that's also something I've tried to avoid allowing where possible. If it's a case of Nvidia blobs that try to use sockets but degrade gracefully if socket returns an error, then that's fine; we already have issues like that in content processes. We definitely won't allow statx with arbitrary arguments; currently we'll reject it with ENOSYS and ideally the caller would fall back to an older syscall which will be replaced with a file broker request, so I need to find out why that's not working. (Supporting statx directly in the broker would be possible, but it would be a nontrivial amount of complexity.)

Background:
At the moment, the project's readme suggests setting security.sandbox.content.level to 0.

jrmuizel recommended rather setting MOZ_DISABLE_RDD_SANDBOX=1 than disabling the content process sandbox:

even running in the rdd with the sandbox completely disabled wouldn't be the worst option in the world

definitely better than disabling the sandbox in the content processes

So we recommended media.rdd-ffmpeg.enabled=true + MOZ_DISABLE_RDD_SANDBOX=1 in this issue:
https://github.com/elFarto/nvidia-vaapi-driver/issues/6#issuecomment-1005630454

If the required syscalls could be behind a security.sandbox.rdd.nvidia-highly-experimental-vaapi pref, it would allow users of that project to not disable any sandbox.

Type: defect → enhancement
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Summary: Allow more syscalls for nvidia-vaapi-driver → Allow more syscalls for nvidia-vaapi-driver, possibly behind a pref
Depends on: 1749324
Severity: -- → S3
Priority: -- → P2
Depends on: 1771382
Depends on: 1787714
No longer depends on: 1787714
See Also: → 1830300
You need to log in before you can comment on or make changes to this bug.