1929469 - Consider a GPU process sandbox on Linux

Status: NEW

(Core :: Security: Process Sandboxing, enhancement, P3)

Description

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

We're in the process of enabling the GPU process on Linux for X11 (bug 1653444), and it seems that we'll also want it for Wayland (bug 1732951) although it sounds like there's infrastructure that still needs to be written/adpated to make it work. So, we'll probably want to sandbox it, because it's going to be influenced by Web content even if it isn't running content JS directly.

For Wayland this should be relatively simple, once there's a GPU process that I can test with. X11 is harder, because (as previously discussed) it doesn't really have a security model, so access to the X server is dangerous. However, if it's possible to refactor things so that the GPU process does some kind of offscreen rendering (using the GPU device nodes directly) and the parent process can display the result, like what I think bug 1732951 comment #12 is talking about for Wayland, then we can do something. In particular, DRI3 has operations to turn a DMA-BUF descriptor into an X11 pixmap and vice versa, which looks promising, but I don't know what the details would look like or how complicated it would be to wire things up.