diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-06-25 22:52:05 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-25 22:52:05 +0000 |
commit | af44e33b19becf3cda6919a10268cca731a1e306 (patch) | |
tree | 34ff3198c9c3e9486df174837770a23aac0f1f6a | |
parent | modif: private-dev: keep /dev/kfd unless no3d is used (#6380) (diff) | |
download | firejail-af44e33b19becf3cda6919a10268cca731a1e306.tar.gz firejail-af44e33b19becf3cda6919a10268cca731a1e306.tar.zst firejail-af44e33b19becf3cda6919a10268cca731a1e306.zip |
modif: keep /sys/module/nvidia* if prop driver and no no3d (#6387)
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes #6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
-rw-r--r-- | etc/profile-m-z/noprofile.profile | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 14 |
2 files changed, 14 insertions, 2 deletions
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index 7d0e01d98..c2e4999ea 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -15,6 +15,8 @@ | |||
15 | 15 | ||
16 | noblacklist /sys/fs | 16 | noblacklist /sys/fs |
17 | noblacklist /sys/module | 17 | noblacklist /sys/module |
18 | nowhitelist /sys/module/nvidia* | ||
19 | ignore read-only /sys/module/nvidia* | ||
18 | 20 | ||
19 | allow-debuggers | 21 | allow-debuggers |
20 | allusers | 22 | allusers |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cdad5e220..abef85515 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) { | |||
743 | 743 | ||
744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
746 | { // allow user access to some directories in /sys/ by specifying 'noblacklist' option | 746 | |
747 | profile_add("blacklist /sys/fs"); | 747 | // Soft-block some paths in /sys/ (can be undone in profiles). |
748 | profile_add("blacklist /sys/fs"); | ||
749 | |||
750 | // Hardware acceleration with the nvidia proprietary driver may fail | ||
751 | // without access to these paths (see #6372). | ||
752 | if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { | ||
753 | profile_add("whitelist /sys/module/nvidia*"); | ||
754 | profile_add("read-only /sys/module/nvidia*"); | ||
755 | } | ||
756 | else { | ||
748 | profile_add("blacklist /sys/module"); | 757 | profile_add("blacklist /sys/module"); |
749 | } | 758 | } |
759 | |||
750 | disable_file(BLACKLIST_FILE, "/sys/power"); | 760 | disable_file(BLACKLIST_FILE, "/sys/power"); |
751 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); | 761 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
752 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); | 762 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |