search

YunoHost-Apps / peertube_ynh

Federated (ActivityPub) video streaming platform using P2P for YunoHost
https://joinpeertube.org/fr/
GNU Affero General Public License v3.0
87 stars 27 forks source link

VAAPI hardware transcode broken with hardened systemd service settings #296

Closed h3ndrik closed 2 years ago

h3ndrik commented 2 years ago

I'm using the hardware-transcode-vaapi plugin. Something in the systemd peertube.service file prevents ffmpeg to access /dev/dri/renderD128

commenting out the "Sandboxing options to harden security" makes it work again. I left the last section with the CapabilityBoundingSet intact, so that's most likely not the problem.

#NoNewPrivileges=yes
#PrivateTmp=yes
#PrivateDevices=yes
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#RestrictNamespaces=yes
#RestrictRealtime=yes
#DevicePolicy=closed
#ProtectSystem=full
#ProtectControlGroups=yes
#ProtectKernelModules=yes
#ProtectKernelTunables=yes
#LockPersonality=yes
#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap

I've tried:

ReadWritePaths=/dev/dri

which results in an error. and:

DeviceAllow=/dev/dri/renderD128

which doesn't change anything.

How do we unblock access to the graphics card?