Closed Bug 1761692 Opened 2 years ago Closed 2 years ago

Add NixOS driver paths for RDD Sandbox

Categories

(Core :: Security: Process Sandboxing, defect)

Firefox 98
defect

Tracking

()

RESOLVED FIXED
100 Branch
Tracking Status
firefox100 --- fixed

People

(Reporter: martin+mozilla, Assigned: martin+mozilla)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Attached patch rdd-sandbox-paths.patch (obsolete) — Splinter Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0

Steps to reproduce:

Hardware decoded video-playback can't currently work on NixOS because the required paths are not allowed to be accessed from within the RDD sandbox.

I'm on FIrefox 98.0.2 on NixOS and I enabled media.ffmpeg.vaapi.enabled, started Firefox using MOZ_SANDBOX_LOGGIN=1 and MOZ_LOG="PlatformDecoderModule:5". Then went to browse YouTube.

Actual results:

The sandbox prevents the RDD process from loading the required libraries to offload video decoding:

libva info: Trying to open /run/opengl-driver/lib/dri/iHD_drv_video.so
Sandbox: SandboxBroker: denied op=open rflags=2000000 perms=0 path=/nix/store/4p5jillybwfk255136rh0smd2ijli6zl-intel-media-driver-22.2.2/lib/dri/iHD_drv_video.so for pid=806411
Sandbox: Failed errno -13 op open flags 02000000 path /run/opengl-driver/lib/dri/iHD_drv_video.so
Sandbox: SandboxBroker: denied op=access rflags=0 perms=0 path=/nix/store/4p5jillybwfk255136rh0smd2ijli6zl-intel-media-driver-22.2.2/lib/dri/iHD_drv_video.so for pid=806411
Sandbox: Failed errno -13 op access flags 00 path /run/opengl-driver/lib/dri/iHD_drv_video.so

Expected results:

Our library path needs to be allowed and we are currently in the process of fixing this downstream using the attached patch.

They are within /run/opengl-driver, which holds symlinks into arbitrary paths below /nix/store.

The Bugbug bot thinks this bug should belong to the 'Core::Security: Process Sandboxing' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: Process Sandboxing
Product: Firefox → Core

Thanks Martin for your patch, would it be possible for you to submit via Phabricator?

Flags: needinfo?(lissyx+mozillians)

Sorry, mis-selected the proper target for needinfo.

Flags: needinfo?(lissyx+mozillians) → needinfo?(martin+mozilla)
Attachment #9269747 - Attachment description: WIP: Bug 1761692 - Add NixOS driver directory to allowed paths for RDD sandbox → Bug 1761692 - Add NixOS driver directory to allowed paths for RDD sandbox

(In reply to Alexandre LISSY :gerard-majax from comment #2)

Thanks Martin for your patch, would it be possible for you to submit via Phabricator?

Submitted, thanks for the pointer.

Flags: needinfo?(martin+mozilla)

Comment on attachment 9269592 [details] [diff] [review]
rdd-sandbox-paths.patch

obsolete: pushed to https://phabricator.services.mozilla.com/D142268

Attachment #9269592 - Attachment is obsolete: true

(In reply to Martin Weinelt from comment #5)

(In reply to Alexandre LISSY :gerard-majax from comment #2)

Thanks Martin for your patch, would it be possible for you to submit via Phabricator?

Submitted, thanks for the pointer.

Thanks ! In general, you can find guidelines on how to make sure your patch gets the proper attention by following https://firefox-source-docs.mozilla.org/setup/contributing_code.html#getting-your-code-reviewed

Specifically, here, you should add a reviewer by adding a r?XXX to your commit title and submitting again or by setting a reviewer on Phabricator.

Blocks: 1743926
Assignee: nobody → martin+mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Thanks for the patch, I assumed you had not the credentials to push on lando so I pushed the patch for you

Pushed by alissy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5ac6a69a01f4
Add NixOS driver directory to allowed paths for RDD sandbox r=gerard-majax
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
You need to log in before you can comment on or make changes to this bug.