1769182 - Adjust RDD sandbox policy to allow VA-API with X11 EGL

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, enhancement, P1)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

I have patches that make VA-API work in the RDD process with X11 EGL, tested with amdgpu and intel. This won't fix Wayland (it's probably going to need a rule to allow its socket connection, and maybe something in the graphics code to deal with opening the display in a non-GTK process), and it's untested with other Mesa drivers, and using nvidia with a wrapper is also out of scope (bug 1748460). As a result, I've made a separate bug for this, because it doesn't solve the entire problem.

Most of the work is factoring out the X11 dependencies (including the seccomp plumbing for connect brokering); there are a few other minor changes, mostly related to X11.

I've gotten the patches more or less cleaned up, and it should be a clear improvement over the status quo, so we might as well land them.

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors.

The arguments to the SandboxPolicyCommon contructor will get more
complicated as more optional features are added (e.g., the one added in
the next patch), and they're basically just mapped to boolean member
variables, so this patch lets the subclasses set them directly, to keep
things simpler and more readable.

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies.

We're going to want to let the RDD process make a (brokered) connection
to a local X server, but the seccomp-bpf plumbing for that mostly lives
in the content process snadbox policy. This moves it into the common
policy, and subclasses can opt in.

Comment 3

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy.

These syscalls (at least send/recv) are used by X11 client libraries, and
allowing them doesn't really change anything about security or attack
surface, because they're strict subsets of sendmsg/recvmsg which we
already allow everywhere for use by IPC. So, this patch allows them in
all process types instead of only content.

Comment 4

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies.

This patch moves a lot of text but the idea is relatively simple and
no functional change is intended: factor out the parts of the content
sandbox policy needed to create and use an EGL context under X11.
(The AddDriPaths function already has some of the dependencies in a
conveniently separated form, but there are others.)

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux.

This patch mostly turns on the features set up by the earlier patches:
allow connecting to the X server and reading various related things
(.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's
shader cache in the RDD process; that shouldn't be needed here, and
disabling it lets us avoid dealing with a few things in the sandbox
policy that we'd rather not (e.g., getpwuid).

Comment 6

[Pulsebot]

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cf7bb9b7414d
Refactor seccomp-bpf sandbox policy constructors. r=gcp
https://hg.mozilla.org/integration/autoland/rev/b91adae9bb59
Factor out connect() brokering in the Linux sandbox policies. r=gcp
https://hg.mozilla.org/integration/autoland/rev/c7833370362a
Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
https://hg.mozilla.org/integration/autoland/rev/7a64faec004f
Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
https://hg.mozilla.org/integration/autoland/rev/f5b71a28f28b
Allow the RDD process to use EGL under X11 on Linux. r=gcp

Comment 7

[Iulian Moraru]

Backed out for causing mochitest failures on browser_sandbox_test.js.

Push with failures

Failure log

Backout link

[task 2022-05-14T01:52:26.386Z] 01:52:26     INFO - TEST-START | security/sandbox/test/browser_sandbox_test.js
[task 2022-05-14T01:52:26.387Z] 01:52:26     INFO - GECKO(1573) | Chrome file doesn't exist: /builds/worker/workspace/build/tests/mochitest/browser/security/sandbox/test/head.js
[task 2022-05-14T01:52:26.405Z] 01:52:26     INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1663, tid 1893, syscall 228, args 18446744073709551602 140268083443552 140268073019296 16 0 140268073201664.
[task 2022-05-14T01:52:26.406Z] 01:52:26     INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1663, tid 1893, syscall 228, args 4294967282 140268083443552 140268073019296 16 0 140268073201664.
[task 2022-05-14T01:52:26.494Z] 01:52:26     INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_socket_pid1894.log
[task 2022-05-14T01:52:26.495Z] 01:52:26     INFO - GECKO(1573) | [1894, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.573Z] 01:52:26     INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_utility_pid1901.log
[task 2022-05-14T01:52:26.573Z] 01:52:26     INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_rdd_pid1898.log
[task 2022-05-14T01:52:26.573Z] 01:52:26     INFO - GECKO(1573) | [1898, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.576Z] 01:52:26     INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_utility_pid1899.log
[task 2022-05-14T01:52:26.577Z] 01:52:26     INFO - GECKO(1573) | [1899, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.577Z] 01:52:26     INFO - GECKO(1573) | [Socket 1894, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpHandler.cpp:339
[task 2022-05-14T01:52:26.577Z] 01:52:26     INFO - GECKO(1573) | [Socket 1894, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, kKnownEsrVersion) failed with result 0x80004002 (NS_NOINTERFACE): file /builds/worker/checkouts/gecko/toolkit/components/resistfingerprinting/nsRFPService.cpp:560
[task 2022-05-14T01:52:26.584Z] 01:52:26     INFO - GECKO(1573) | [1901, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.589Z] 01:52:26     INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1894, tid 1916, syscall 157, args 21 0 0 0 0 512.
[task 2022-05-14T01:52:26.601Z] 01:52:26     INFO - GECKO(1573) | ### XPCOM_MEM_BLOAT_LOG defined -- logging bloat/leaks to /tmp/tmpb75399xq.mozrunner/runtests_leaks_gmplugin_pid1902.log
[task 2022-05-14T01:52:26.601Z] 01:52:26     INFO - GECKO(1573) | [1902, Main Thread] WARNING: XPCOM_MEM_BLOAT_LOG is set, disabling native allocations.: file /builds/worker/checkouts/gecko/tools/profiler/core/platform.cpp:339
[task 2022-05-14T01:52:26.633Z] 01:52:26     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:26.633Z] 01:52:26     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:26.633Z] 01:52:26     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:26.654Z] 01:52:26     INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1899, tid 1927, syscall 16, args 1 21522 139640512812455 85 0 512.
[task 2022-05-14T01:52:26.660Z] 01:52:26     INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /etc/hostname
[task 2022-05-14T01:52:26.684Z] 01:52:26     INFO - GECKO(1573) | [Parent 1573, Main Thread] WARNING: IPC message 'PContent::Msg_UpdateMediaCodecsSupported' discarded: actor cannot send: file /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:509
[task 2022-05-14T01:52:26.687Z] 01:52:26     INFO - GECKO(1573) | Sandbox: seccomp sandbox violation: pid 1898, tid 1935, syscall 16, args 1 21522 139922368824743 85 0 512.
[task 2022-05-14T01:52:26.698Z] 01:52:26     INFO - TEST-INFO | started process screentopng
[task 2022-05-14T01:52:27.381Z] 01:52:27     INFO - TEST-INFO | screentopng: exit 0
[task 2022-05-14T01:52:27.385Z] 01:52:27     INFO - Buffered messages logged at 01:52:26
[task 2022-05-14T01:52:27.385Z] 01:52:27     INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test high_bits_gettime passed: Succeeded - 
<...>
[task 2022-05-14T01:52:27.459Z] 01:52:27     INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test sched_getparam(Ntid) passed: Error: Operation not permitted - 
[task 2022-05-14T01:52:27.460Z] 01:52:27     INFO - Buffered messages finished
[task 2022-05-14T01:52:27.461Z] 01:52:27     INFO - TEST-UNEXPECTED-FAIL | security/sandbox/test/browser_sandbox_test.js | Test socket failed: Succeeded; expected error - 
[task 2022-05-14T01:52:27.461Z] 01:52:27     INFO - Stack trace:
[task 2022-05-14T01:52:27.461Z] 01:52:27     INFO - chrome://mochikit/content/browser-test.js:test_ok:1394
[task 2022-05-14T01:52:27.461Z] 01:52:27     INFO - chrome://mochitests/content/browser/security/sandbox/test/browser_sandbox_test.js:sandboxTestResult:35
[task 2022-05-14T01:52:27.464Z] 01:52:27     INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test uname passed: Succeeded - 
[task 2022-05-14T01:52:27.465Z] 01:52:27     INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test ioctl_dma_buf passed: Error: Inappropriate ioctl for device - 
[task 2022-05-14T01:52:27.469Z] 01:52:27     INFO - TEST-PASS | security/sandbox/test/browser_sandbox_test.js | Test getcpu passed: Succeeded - 
[task 2022-05-14T01:52:27.470Z] 01:52:27     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: IPC message 'PGMP::Msg_FOGData' discarded: actor cannot send: file /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:509
[task 2022-05-14T01:52:27.471Z] 01:52:27     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: Can't get observer service!: file /builds/worker/checkouts/gecko/xpcom/threads/nsMemoryPressure.cpp:65
[task 2022-05-14T01:52:27.474Z] 01:52:27     INFO - GECKO(1573) | [Parent 1573, IPC I/O Parent] WARNING: Dropping message as channel has been closed: file /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:223
[task 2022-05-14T01:52:27.474Z] 01:52:27     INFO - GECKO(1573) | [Parent 1573, IPC I/O Parent] WARNING: Dropping message as channel has been closed: file /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:223
[task 2022-05-14T01:52:27.475Z] 01:52:27     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: NS_ENSURE_TRUE(Preferences::InitStaticMembers()) failed: file /builds/worker/checkouts/gecko/modules/libpref/Preferences.cpp:4571
[task 2022-05-14T01:52:27.476Z] 01:52:27     INFO - GECKO(1573) | Sandbox: unexpected multiple open of file /proc/cpuinfo
[task 2022-05-14T01:52:27.476Z] 01:52:27     INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu/cpu0/cache/index2/size
[task 2022-05-14T01:52:27.477Z] 01:52:27     INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu/cpu0/cache/index3/size
[task 2022-05-14T01:52:27.479Z] 01:52:27     INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu/present
[task 2022-05-14T01:52:27.479Z] 01:52:27     INFO - GECKO(1573) | Sandbox: attempt to open unexpected file /sys/devices/system/cpu
[task 2022-05-14T01:52:27.480Z] 01:52:27     INFO - GECKO(1573) | Sandbox: unexpected multiple open of file /proc/cpuinfo
[task 2022-05-14T01:52:27.481Z] 01:52:27     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: XPCOM object ProfilerParentTracker destroyed from static ctor/dtor: file /builds/worker/checkouts/gecko/xpcom/base/nsTraceRefcnt.cpp:206
[task 2022-05-14T01:52:27.486Z] 01:52:27     INFO - GECKO(1573) | [GMP 1902, Main Thread] WARNING: XPCOM object nsStringBuffer released from static ctor/dtor: file /builds/worker/checkouts/gecko/xpcom/base/nsTraceRefcnt.cpp:206
<...>

Comment 8

[Martin Stránský [:stransky] (ni? me)]

(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #0)

I have patches that make VA-API work in the RDD process with X11 EGL, tested with amdgpu and intel. This won't fix Wayland (it's probably going to need a rule to allow its socket connection, and maybe something in the graphics code to deal with opening the display in a non-GTK process), and it's untested with other Mesa drivers, and using nvidia with a wrapper is also out of scope (bug 1748460). As a result, I've made a separate bug for this, because it doesn't solve the entire problem.

Works for me. Is there anything I can do to fix that on Wayland? Can you be more specific about 'opening the display in a non-GTK process' ?
Thanks.

Comment 9

[Martin Stránský [:stransky] (ni? me)]

Looks like we actually use X11/EGL on RDD process even on Wayland when X11 is also available. That means the patches here works even on Wayland when mozilla::widget::GdkIsWaylandDisplay() is removed.

Comment 10

[Martin Stránský [:stransky] (ni? me)]

(In reply to Martin Stránský [:stransky] (ni? me) from comment #9)

Looks like we actually use X11/EGL on RDD process even on Wayland when X11 is also available. That means the patches here works even on Wayland when mozilla::widget::GdkIsWaylandDisplay() is removed.

Filed as Bug 1769499.

Comment 11

[Martin Stránský [:stransky] (ni? me)]

(In reply to Martin Stránský [:stransky] (ni? me) from comment #8)

(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #0)

I have patches that make VA-API work in the RDD process with X11 EGL, tested with amdgpu and intel. This won't fix Wayland (it's probably going to need a rule to allow its socket connection, and maybe something in the graphics code to deal with opening the display in a non-GTK process), and it's untested with other Mesa drivers, and using nvidia with a wrapper is also out of scope (bug 1748460). As a result, I've made a separate bug for this, because it doesn't solve the entire problem.

Works for me. Is there anything I can do to fix that on Wayland? Can you be more specific about 'opening the display in a non-GTK process' ?
Thanks.

There's an option to create GL context over GBM device so we don't need display connection. Looking at it now.

Comment 12

[Pulsebot]

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f9452f00ff9
Refactor seccomp-bpf sandbox policy constructors. r=gcp
https://hg.mozilla.org/integration/autoland/rev/06426a1dbd1a
Factor out connect() brokering in the Linux sandbox policies. r=gcp
https://hg.mozilla.org/integration/autoland/rev/e0907e204b98
Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
https://hg.mozilla.org/integration/autoland/rev/f38d02e55173
Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
https://hg.mozilla.org/integration/autoland/rev/cd0c2d8c6092
Allow the RDD process to use EGL under X11 on Linux. r=gcp

Comment 14

[BugBot [:suhaib / :marco/ :calixte]]

Copying crash signatures from duplicate bugs.

Comment 15

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/0f9452f00ff9
https://hg.mozilla.org/mozilla-central/rev/06426a1dbd1a
https://hg.mozilla.org/mozilla-central/rev/e0907e204b98
https://hg.mozilla.org/mozilla-central/rev/f38d02e55173
https://hg.mozilla.org/mozilla-central/rev/cd0c2d8c6092