1761692 - Add NixOS driver paths for RDD Sandbox

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect)

Description

[Martin Weinelt]

Attachment: rdd-sandbox-paths.patch

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0

Steps to reproduce:

Hardware decoded video-playback can't currently work on NixOS because the required paths are not allowed to be accessed from within the RDD sandbox.

I'm on FIrefox 98.0.2 on NixOS and I enabled media.ffmpeg.vaapi.enabled, started Firefox using MOZ_SANDBOX_LOGGIN=1 and MOZ_LOG="PlatformDecoderModule:5". Then went to browse YouTube.

Actual results:

The sandbox prevents the RDD process from loading the required libraries to offload video decoding:

libva info: Trying to open /run/opengl-driver/lib/dri/iHD_drv_video.so
Sandbox: SandboxBroker: denied op=open rflags=2000000 perms=0 path=/nix/store/4p5jillybwfk255136rh0smd2ijli6zl-intel-media-driver-22.2.2/lib/dri/iHD_drv_video.so for pid=806411
Sandbox: Failed errno -13 op open flags 02000000 path /run/opengl-driver/lib/dri/iHD_drv_video.so
Sandbox: SandboxBroker: denied op=access rflags=0 perms=0 path=/nix/store/4p5jillybwfk255136rh0smd2ijli6zl-intel-media-driver-22.2.2/lib/dri/iHD_drv_video.so for pid=806411
Sandbox: Failed errno -13 op access flags 00 path /run/opengl-driver/lib/dri/iHD_drv_video.so

Expected results:

Our library path needs to be allowed and we are currently in the process of fixing this downstream using the attached patch.

They are within /run/opengl-driver, which holds symlinks into arbitrary paths below /nix/store.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::Security: Process Sandboxing' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[:gerard-majax]

Thanks Martin for your patch, would it be possible for you to submit via Phabricator?

Comment 3

[:gerard-majax]

Sorry, mis-selected the proper target for needinfo.

Comment 4

[Martin Weinelt]

Attachment: Bug 1761692 - Add NixOS driver directory to allowed paths for RDD sandbox

Comment 5

[Martin Weinelt]

(In reply to Alexandre LISSY :gerard-majax from comment #2)

Thanks Martin for your patch, would it be possible for you to submit via Phabricator?

Submitted, thanks for the pointer.

Comment 6

[:gerard-majax]

Comment on attachment 9269592 [details] [diff] [review]
rdd-sandbox-paths.patch

obsolete: pushed to https://phabricator.services.mozilla.com/D142268

Comment 7

[:gerard-majax]

(In reply to Martin Weinelt from comment #5)

(In reply to Alexandre LISSY :gerard-majax from comment #2)

Thanks Martin for your patch, would it be possible for you to submit via Phabricator?

Submitted, thanks for the pointer.

Thanks ! In general, you can find guidelines on how to make sure your patch gets the proper attention by following https://firefox-source-docs.mozilla.org/setup/contributing_code.html#getting-your-code-reviewed

Specifically, here, you should add a reviewer by adding a r?XXX to your commit title and submitting again or by setting a reviewer on Phabricator.

Comment 8

[:gerard-majax]

Thanks for the patch, I assumed you had not the credentials to push on lando so I pushed the patch for you

Comment 9

[Pulsebot]

Pushed by alissy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5ac6a69a01f4
Add NixOS driver directory to allowed paths for RDD sandbox r=gerard-majax

Comment 10

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/5ac6a69a01f4