Adjust RDD sandbox policy to allow VA-API with X11 EGL
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox102 | --- | fixed |
People
(Reporter: jld, Assigned: jld)
References
(Blocks 1 open bug)
Details
Crash Data
Attachments
(5 files)
I have patches that make VA-API work in the RDD process with X11 EGL, tested with amdgpu
and intel
. This won't fix Wayland (it's probably going to need a rule to allow its socket connection, and maybe something in the graphics code to deal with opening the display in a non-GTK process), and it's untested with other Mesa drivers, and using nvidia
with a wrapper is also out of scope (bug 1748460). As a result, I've made a separate bug for this, because it doesn't solve the entire problem.
Most of the work is factoring out the X11 dependencies (including the seccomp plumbing for connect
brokering); there are a few other minor changes, mostly related to X11.
I've gotten the patches more or less cleaned up, and it should be a clear improvement over the status quo, so we might as well land them.
Assignee | ||
Comment 1•2 years ago
|
||
The arguments to the SandboxPolicyCommon contructor will get more
complicated as more optional features are added (e.g., the one added in
the next patch), and they're basically just mapped to boolean member
variables, so this patch lets the subclasses set them directly, to keep
things simpler and more readable.
Assignee | ||
Comment 2•2 years ago
|
||
We're going to want to let the RDD process make a (brokered) connection
to a local X server, but the seccomp-bpf plumbing for that mostly lives
in the content process snadbox policy. This moves it into the common
policy, and subclasses can opt in.
Assignee | ||
Comment 3•2 years ago
|
||
These syscalls (at least send/recv) are used by X11 client libraries, and
allowing them doesn't really change anything about security or attack
surface, because they're strict subsets of sendmsg/recvmsg which we
already allow everywhere for use by IPC. So, this patch allows them in
all process types instead of only content.
Assignee | ||
Comment 4•2 years ago
|
||
This patch moves a lot of text but the idea is relatively simple and
no functional change is intended: factor out the parts of the content
sandbox policy needed to create and use an EGL context under X11.
(The AddDriPaths
function already has some of the dependencies in a
conveniently separated form, but there are others.)
Assignee | ||
Comment 5•2 years ago
|
||
This patch mostly turns on the features set up by the earlier patches:
allow connecting to the X server and reading various related things
(.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's
shader cache in the RDD process; that shouldn't be needed here, and
disabling it lets us avoid dealing with a few things in the sandbox
policy that we'd rather not (e.g., getpwuid
).
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cf7bb9b7414d Refactor seccomp-bpf sandbox policy constructors. r=gcp https://hg.mozilla.org/integration/autoland/rev/b91adae9bb59 Factor out connect() brokering in the Linux sandbox policies. r=gcp https://hg.mozilla.org/integration/autoland/rev/c7833370362a Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp https://hg.mozilla.org/integration/autoland/rev/7a64faec004f Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp https://hg.mozilla.org/integration/autoland/rev/f5b71a28f28b Allow the RDD process to use EGL under X11 on Linux. r=gcp
Comment 7•2 years ago
|
||
Backed out for causing mochitest failures on browser_sandbox_test.js.
[task 2022-05-14T01:52:26.386Z] 01:52:26 INFO - TEST-START | security/sandbox/test/browser_sandbox_test.js
[task 2022-05-14T01:52:26.387Z] 01:52:26 INFO - GECKO(1573) | Chrome file doesn't exist: /builds/worker/workspace/build/tests/mochitest/browser/security/sandbox/test/head.js
[task 2022-05-14T01:52:26.405Z] 01:52:26 INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1663, tid 1893, syscall 228, args 18446744073709551602 140268083443552 140268073019296 16 0 140268073201664.
[task 2022-05-14T01:52:26.406Z] 01:52:26 INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1663, tid 1893, syscall 228, args 4294967282 140268083443552 140268073019296 16 0 140268073201664.
[task 2022-05-14T01:52:26.494Z] 01:52:26 INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_socket_pid1894.log
[task 2022-05-14T01:52:26.495Z] 01:52:26 INFO - GECKO(1573) | [1894, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.573Z] 01:52:26 INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_utility_pid1901.log
[task 2022-05-14T01:52:26.573Z] 01:52:26 INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_rdd_pid1898.log
[task 2022-05-14T01:52:26.573Z] 01:52:26 INFO - GECKO(1573) | [1898, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.576Z] 01:52:26 INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_utility_pid1899.log
[task 2022-05-14T01:52:26.577Z] 01:52:26 INFO - GECKO(1573) | [1899, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.577Z] 01:52:26 INFO - GECKO(1573) | [Socket 1894, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpHandler.cpp:339
[task 2022-05-14T01:52:26.577Z] 01:52:26 INFO - GECKO(1573) | [Socket 1894, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, kKnownEsrVersion) failed with result 0x80004002 (NS_NOINTERFACE): file /builds/worker/checkouts/gecko/toolkit/components/resistfingerprinting/nsRFPService.cpp:560
[task 2022-05-14T01:52:26.584Z] 01:52:26 INFO - GECKO(1573) | [1901, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.589Z] 01:52:26 INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1894, tid 1916, syscall 157, args 21 0 0 0 0 512.
[task 2022-05-14T01:52:26.601Z] 01:52:26 INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_gmplugin_pid1902.log
[task 2022-05-14T01:52:26.601Z] 01:52:26 INFO - GECKO(1573) | [1902, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.633Z] 01:52:26 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:26.633Z] 01:52:26 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:26.633Z] 01:52:26 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:26.654Z] 01:52:26 INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1899, tid 1927, syscall 16, args 1 21522 139640512812455 85 0 512.
[task 2022-05-14T01:52:26.660Z] 01:52:26 INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /etc/hostname
[task 2022-05-14T01:52:26.684Z] 01:52:26 INFO - GECKO(1573) | [Parent 1573, Main Thread] WARNING: IPC message 'PContent::Msg_UpdateMediaCodecsSupported' discarded: actor cannot send: file /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:509
[task 2022-05-14T01:52:26.687Z] 01:52:26 INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1898, tid 1935, syscall 16, args 1 21522 139922368824743 85 0 512.
[task 2022-05-14T01:52:26.698Z] 01:52:26 INFO - TEST-INFO | started process screentopng
[task 2022-05-14T01:52:27.381Z] 01:52:27 INFO - TEST-INFO | screentopng: exit 0
[task 2022-05-14T01:52:27.385Z] 01:52:27 INFO - Buffered messages logged at 01:52:26
[task 2022-05-14T01:52:27.385Z] 01:52:27 INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test high_bits_gettime passed: Succeeded -
<...>
[task 2022-05-14T01:52:27.459Z] 01:52:27 INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test sched_getparam(Ntid) passed: Error: Operation not permitted -
[task 2022-05-14T01:52:27.460Z] 01:52:27 INFO - Buffered messages finished
[task 2022-05-14T01:52:27.461Z] 01:52:27 INFO - TEST-UNEXPECTED-FAIL | security/sandbox/test/browser_sandbox_test.js | Test socket failed: Succeeded; expected error -
[task 2022-05-14T01:52:27.461Z] 01:52:27 INFO - Stack trace:
[task 2022-05-14T01:52:27.461Z] 01:52:27 INFO - chrome://mochikit/content/browser-test.js:test_ok:1394
[task 2022-05-14T01:52:27.461Z] 01:52:27 INFO - chrome://mochitests/content/browser/security/sandbox/test/browser_sandbox_test.js:sandboxTestResult:35
[task 2022-05-14T01:52:27.464Z] 01:52:27 INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test uname passed: Succeeded -
[task 2022-05-14T01:52:27.465Z] 01:52:27 INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test ioctl_dma_buf passed: Error: Inappropriate ioctl for device -
[task 2022-05-14T01:52:27.469Z] 01:52:27 INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test getcpu passed: Succeeded -
[task 2022-05-14T01:52:27.470Z] 01:52:27 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: IPC message 'PGMP::Msg_FOGData' discarded: actor cannot send: file /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:509
[task 2022-05-14T01:52:27.471Z] 01:52:27 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: Can't get observer service!: file /builds/worker/checkouts/gecko/xpcom/threads/nsMemoryPressure.cpp:65
[task 2022-05-14T01:52:27.474Z] 01:52:27 INFO - GECKO(1573) | [Parent 1573, IPC I/O Parent] WARNING: Dropping message as channel has been closed: file /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:223
[task 2022-05-14T01:52:27.474Z] 01:52:27 INFO - GECKO(1573) | [Parent 1573, IPC I/O Parent] WARNING: Dropping message as channel has been closed: file /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:223
[task 2022-05-14T01:52:27.475Z] 01:52:27 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:27.476Z] 01:52:27 INFO - GECKO(1573) | Sandbox: unexpected multiple open of file /proc/cpuinfo
[task 2022-05-14T01:52:27.476Z] 01:52:27 INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu/cpu0/cache/index2/size
[task 2022-05-14T01:52:27.477Z] 01:52:27 INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu/cpu0/cache/index3/size
[task 2022-05-14T01:52:27.479Z] 01:52:27 INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu/present
[task 2022-05-14T01:52:27.479Z] 01:52:27 INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu
[task 2022-05-14T01:52:27.480Z] 01:52:27 INFO - GECKO(1573) | Sandbox: unexpected multiple open of file /proc/cpuinfo
[task 2022-05-14T01:52:27.481Z] 01:52:27 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: XPCOM object ProfilerParentTracker destroyed from static ctor/dtor: file /builds/worker/checkouts/gecko/xpcom/base/nsTraceRefcnt.cpp:206
[task 2022-05-14T01:52:27.486Z] 01:52:27 INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: XPCOM object nsStringBuffer released from static ctor/dtor: file /builds/worker/checkouts/gecko/xpcom/base/nsTraceRefcnt.cpp:206
<...>
Comment 8•2 years ago
|
||
(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #0)
I have patches that make VA-API work in the RDD process with X11 EGL, tested with
amdgpu
andintel
. This won't fix Wayland (it's probably going to need a rule to allow its socket connection, and maybe something in the graphics code to deal with opening the display in a non-GTK process), and it's untested with other Mesa drivers, and usingnvidia
with a wrapper is also out of scope (bug 1748460). As a result, I've made a separate bug for this, because it doesn't solve the entire problem.
Works for me. Is there anything I can do to fix that on Wayland? Can you be more specific about 'opening the display in a non-GTK process' ?
Thanks.
Comment 9•2 years ago
|
||
Looks like we actually use X11/EGL on RDD process even on Wayland when X11 is also available. That means the patches here works even on Wayland when mozilla::widget::GdkIsWaylandDisplay() is removed.
Comment 10•2 years ago
|
||
(In reply to Martin Stránský [:stransky] (ni? me) from comment #9)
Looks like we actually use X11/EGL on RDD process even on Wayland when X11 is also available. That means the patches here works even on Wayland when mozilla::widget::GdkIsWaylandDisplay() is removed.
Filed as Bug 1769499.
Comment 11•2 years ago
|
||
(In reply to Martin Stránský [:stransky] (ni? me) from comment #8)
(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #0)
I have patches that make VA-API work in the RDD process with X11 EGL, tested with
amdgpu
andintel
. This won't fix Wayland (it's probably going to need a rule to allow its socket connection, and maybe something in the graphics code to deal with opening the display in a non-GTK process), and it's untested with other Mesa drivers, and usingnvidia
with a wrapper is also out of scope (bug 1748460). As a result, I've made a separate bug for this, because it doesn't solve the entire problem.Works for me. Is there anything I can do to fix that on Wayland? Can you be more specific about 'opening the display in a non-GTK process' ?
Thanks.
There's an option to create GL context over GBM device so we don't need display connection. Looking at it now.
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f9452f00ff9 Refactor seccomp-bpf sandbox policy constructors. r=gcp https://hg.mozilla.org/integration/autoland/rev/06426a1dbd1a Factor out connect() brokering in the Linux sandbox policies. r=gcp https://hg.mozilla.org/integration/autoland/rev/e0907e204b98 Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp https://hg.mozilla.org/integration/autoland/rev/f38d02e55173 Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp https://hg.mozilla.org/integration/autoland/rev/cd0c2d8c6092 Allow the RDD process to use EGL under X11 on Linux. r=gcp
Comment 14•2 years ago
|
||
Copying crash signatures from duplicate bugs.
Comment 15•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/0f9452f00ff9
https://hg.mozilla.org/mozilla-central/rev/06426a1dbd1a
https://hg.mozilla.org/mozilla-central/rev/e0907e204b98
https://hg.mozilla.org/mozilla-central/rev/f38d02e55173
https://hg.mozilla.org/mozilla-central/rev/cd0c2d8c6092
Updated•2 years ago
|
Description
•