diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-06-25 22:52:05 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-25 22:52:05 +0000 |
commit | af44e33b19becf3cda6919a10268cca731a1e306 (patch) | |
tree | 34ff3198c9c3e9486df174837770a23aac0f1f6a /src | |
parent | modif: private-dev: keep /dev/kfd unless no3d is used (#6380) (diff) | |
download | firejail-af44e33b19becf3cda6919a10268cca731a1e306.tar.gz firejail-af44e33b19becf3cda6919a10268cca731a1e306.tar.zst firejail-af44e33b19becf3cda6919a10268cca731a1e306.zip |
modif: keep /sys/module/nvidia* if prop driver and no no3d (#6387)
It has been reported in #6372 that after upgrading the nvidia
proprietary driver from version 550.78 to 550.90.07, programs using
hardware acceleration fail unless paths in `/sys/module/nvidia*` are
accessible. Example:
$ firejail --noprofile prime-run /bin/glxdemo
[...]
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 3 (X_GLXCreateContext)
Value in failed request: 0x0
Serial number of failed request: 22
Current serial number in output stream: 23
[...]
Meanwhile, the AMD proprietary driver (AMDGPU Pro) seems to depend on
`/sys/module/amdgpu` for OpenCL (though it is unclear how to detect that
driver). See commit 95c8e284d ("Allow accessing /sys/module directory",
2018-05-08) and commit 9dd581d25 ("Allow AMD GPU usage by Blender",
2018-05-08) from PR #1932.
So whitelist `/sys/module/nvidia*` by default if the nvidia proprietary
driver is detected and `no3d` is not used.
Note: The driver check is copied from src/firejail/util.c (see #841).
To keep the current behavior (that is, block all modules), add
`blacklist /sys/module` to globals.local.
Fixes #6372.
Reported-by: @GreatBigWhiteWorld
Reported-by: @orzogc
Reported-by: @krop
Reported-by: @michelesr
Suggested-by: @glitsj16
Tested-by: @flyxyz123
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cdad5e220..abef85515 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) { | |||
743 | 743 | ||
744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
746 | { // allow user access to some directories in /sys/ by specifying 'noblacklist' option | 746 | |
747 | profile_add("blacklist /sys/fs"); | 747 | // Soft-block some paths in /sys/ (can be undone in profiles). |
748 | profile_add("blacklist /sys/fs"); | ||
749 | |||
750 | // Hardware acceleration with the nvidia proprietary driver may fail | ||
751 | // without access to these paths (see #6372). | ||
752 | if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { | ||
753 | profile_add("whitelist /sys/module/nvidia*"); | ||
754 | profile_add("read-only /sys/module/nvidia*"); | ||
755 | } | ||
756 | else { | ||
748 | profile_add("blacklist /sys/module"); | 757 | profile_add("blacklist /sys/module"); |
749 | } | 758 | } |
759 | |||
750 | disable_file(BLACKLIST_FILE, "/sys/power"); | 760 | disable_file(BLACKLIST_FILE, "/sys/power"); |
751 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); | 761 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
752 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); | 762 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |