Closed creideiki closed 3 years ago
firejail --noprofile firefox
works.
Firefox 73.0 hangs in the same way.
Please try with various --ignore
flags like firejail --ignore=seccomp firefox
, firejail --ignore=nogroups firefox
, firejail --ignore=nonewprivs firefox
and so on. You may also try multiple --ignore
at once.
Please try with various
--ignore
flags likefirejail --ignore=seccomp firefox
,firejail --ignore=nogroups firefox
,firejail --ignore=nonewprivs firefox
and so on. You may also try multiple--ignore
at once.
I've confirmed that disabling seccomp via firejail --ignore=seccomp firefox
successfully restores the old (intended) behavior.
Edit: Tested this with v73.0
@leogx9r you had same issue as OP related to amd gpu on gentoo?
@leogx9r you had same issue as OP related to amd gpu on gentoo?
Same issue, different OS. I've experienced this on Arch Linux.
It works fine with NVIDIA GPUs so I'd imagine it may be a kernel bug or an updated package causing it as it only started happening recently, as in within the past week to two.
To further add on to this issue, when using seccomp, startup takes around 10-15 seconds on an SSD in contrast to just under 2 seconds and GPU compositing fails, falling back to basic CPU rendering.
You can check this via about:support
-> Graphics -> Features -> Compositing: "Basic" instead of using WebRender.
This behavior showed up for me in Arch right now with Mesa 19.3.4. It works fine if I downgrade Mesa packages to 19.3.3, so I'm thinking the problem is related to a change in Mesa 19.3.4.
On 2020-02-14 12:57, Ropid wrote:
This behavior showed up for me in Arch right now with Mesa 19.3.4. It works fine if I downgrade Mesa packages to 19.3.3, so I'm thinking the problem is related to a change in Mesa 19.3.4.
Good catch! I don't have one of my failing systems with me at the
moment, but glancing at the Mesa Git repo between 19.3.3 and 19.3.4
shows me
https://gitlab.freedesktop.org/mesa/mesa/commit/ed271a9c2f40f8ec881bf3e4568d35dbfcd9cf70
which introduced a call to kcmp
, which looks to be blocked by the
default seccomp rules:
$ firejail --seccomp.print=4012
[...]
002d: 15 1b 00 00000138 jeq kcmp 0049 (false 002e)
[...]
0049: 06 00 01 00000000 ret KILL
Does it work on Mesa 19.3.4 if you start Firefox with firejail --ignore=seccomp '--seccomp=!kcmp,!chroot' firefox
?
Yes, it is blocked: https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt#L36
f you start Firefox with
firejail --ignore=seccomp '--seccomp=!kcmp,!chroot' firefox
?
I don't think that this works, firejail '--seccomp=!kcmp' firefox
should be enough to add the exception.
On 2020-02-14 13:47, rusty-snake wrote:
Yes, it is blocked: https://github.com/netblue30/firejail/blob/master/etc/templates/syscalls.txt#L36
f you start Firefox with
firejail --ignore=seccomp '--seccomp=!kcmp,!chroot' firefox
?I don't think that this works,
firejail '--seccomp=!kcmp' firefox
should be enough to add the exception.
I tried that, but that still uses the seccomp rules from the profile:
$ firejail '--seccomp=!kcmp' --profile=firefox bash
Reading profile /etc/firejail/firefox.profile
[...]
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
And firejail --seccomp.print=$PID
claims it's still blocked.
Compare with this:
$ firejail --ignore=seccomp '--seccomp=!kcmp,!chroot' --profile=firefox
bash
[...]
Seccomp list in: !kcmp,!chroot, check list: @default-keep, prelist:
unknown,unknown,
$ firejail --seccomp.print=10931
[...]
0007: 15 00 01 00000138 jeq kcmp 0008 (false 0009)
0008: 06 00 00 7fff0000 ret ALLOW
firejail --ignore=seccomp '--seccomp=!kcmp,!chroot' firefox
?
This indeed fixes the issue with the latest mesa version.
I can confirm that firejail --ignore=seccomp '--seccomp=!kcmp,!chroot' firefox
fixes my original problem as well, on Mesa 20.0.0_rc2.
Looking at the Mesa source code, only the AMDGPU code calls kcmp()
as of version 20.0.0. I'm not sure under what circumstances, though - I've tried some OpenGL games and applications, and the only one (besides Firefox) I've seen call kcmp()
is VLC.
Would the best way forward be inserting seccomp !kcmp
in any profiles where it is an actual problem, or removing kcmp
from the default list of blocked syscalls?
Possible all profiles without no3d
are affected?
FYI: #3267
I can reproduce this with many profiles under Fedora 32, which ships Mesa 20.0.1.
Here is a hacky patch to use in the meantime https://gist.github.com/SkewedZeppelin/300447ea70be8aef106b8d8602881134 A proper solution will need to be put in place @smitsohu @topimiettinen
Instead of allowing kcmp(), would it work to make it return ENOSYS (or EPERM) instead? Manual page mentions that kcmp() is not always available (needs CONFIG_CHECKPOINT_RESTORE), so the drivers should handle that case.
Though if kcmp() is considered safe (comparison of resources of two processes owned by the same user does not seem very dangerous), I wouldn't mind if it was removed.
Instead of allowing kcmp(), would it work to make it return ENOSYS (or EPERM) instead?
It would be great to change seccomp filter to use EPERM/ENOSYS globally. I think KILL was proven unsustainable at this point and security difference is quite negligible. Moreover if we're going to allow syscalls that cause issues then KILL is less secure in the end.
Instead of allowing kcmp(), would it work to make it return ENOSYS (or EPERM) instead?
The problem with that is that the call was introduced to fix a memory leak: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/3202
Manual page mentions that kcmp() is not always available (needs CONFIG_CHECKPOINT_RESTORE), so the drivers should handle that case.
Yes, this makes Mesa's use of it very weird, but I haven't had the time to raise that issue with them.
It would be great to change seccomp filter to use EPERM/ENOSYS globally. I think KILL was proven unsustainable at this point and security difference is quite negligible. Moreover if we're going to allow syscalls that cause issues then KILL is less secure in the end.
Agreed, also systemd has made the change. I'll make a PR.
See #3301.
We can remove the kcmp exception from profiles again, since we now EPERM instead of KILL programs.
@rusty-snake I count only 3 profiles that currently use !kcmp: dnscrypt-proxy, steam and unbound. I'll test dnscrypt-proxy and unbound but I have never used steam. Can you test that please?
I'm not using it either.
Even with EPERM this is not fixed. Vanilla firejail at 821dd6c9 on Fedora 32 using AMDGPU graphics breaks many programs. Firefox, Evolution, etc.
I am using https://gist.github.com/SkewedZeppelin/300447ea70be8aef106b8d8602881134 on my personal builds
Even with EPERM this is not fixed. Vanilla firejail at 821dd6c on Fedora 32 using AMDGPU graphics breaks many programs. Firefox, Evolution, etc.
I am using https://gist.github.com/SkewedZeppelin/300447ea70be8aef106b8d8602881134 on my personal builds
I can confirm. Firejail 0.9.64 on Artix using AMDGPU breaks Steam (see #3267) unless I override the default syscall whitelist with the syscall blacklist suggested by @rusty-snake:
--seccomp.drop=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
Good catch! I don't have one of my failing systems with me at the moment, but glancing at the Mesa Git repo between 19.3.3 and 19.3.4 shows me https://gitlab.freedesktop.org/mesa/mesa/commit/ed271a9c2f40f8ec881bf3e4568d35dbfcd9cf70 which introduced a call to `kcmp
For reference, this is what it looks like on 19.3.4 (it hasn't changed too much as of 20.2.1):
$ git checkout mesa-19.3.4
HEAD is now at 7a3190eb918 VERSION: bump version for 19.3.4
$ grep -Fnr kcmp src/
src/util/os_file.c:37:#include <linux/kcmp.h>
src/util/os_file.c:140: return syscall(SYS_kcmp, pid, pid, KCMP_FILE, fd1, fd2) == 0;
$ cat src/util/os_file.c
// ...
#if defined(__linux__)
// ...
bool
os_same_file_description(int fd1, int fd2)
{
pid_t pid = getpid();
return syscall(SYS_kcmp, pid, pid, KCMP_FILE, fd1, fd2) == 0;
}
#else
// ...
Looking at the Mesa source code, only the AMDGPU code calls kcmp() as of version 20.0.0.
$ git checkout mesa-20.0.0
HEAD is now at 9abde3412d3 VERSION: bump for 20.0.0 release
$ grep -Fnr os_same_file_description src/
src/gallium/winsys/amdgpu/drm/amdgpu_winsys.c:383: if (os_same_file_description(sws_iter->fd, ws->fd)) {
src/util/os_file.h:39:os_same_file_description(int fd1, int fd2);
src/util/os_file.c:136:os_same_file_description(int fd1, int fd2)
src/util/os_file.c:155:os_same_file_description(int fd1, int fd2)
Indeed, but since 20.1.1 it seems that other drivers might also be affected:
$ git checkout mesa-20.1.1
HEAD is now at 127c2be9c53 VERSION: bump to 20.1.1 release
$ grep -Fnr os_same_file_description src/
src/gallium/drivers/iris/iris_bufmgr.c:1539: int ret = os_same_file_description(drm_fd, bufmgr->fd);
src/gallium/winsys/amdgpu/drm/amdgpu_winsys.c:375: r = os_same_file_description(sws_iter->fd, ws->fd);
src/gallium/winsys/amdgpu/drm/amdgpu_winsys.c:388: os_log_message("amdgpu: os_same_file_description couldn't "
src/util/os_file.h:45:os_same_file_description(int fd1, int fd2);
src/util/os_file.c:140:os_same_file_description(int fd1, int fd2)
src/util/os_file.c:163:os_same_file_description(int fd1, int fd2)
src/mesa/drivers/dri/i965/brw_bufmgr.c:1642: int ret = os_same_file_description(drm_fd, bufmgr->fd);
And the list appears to be increasing...
$ git checkout master
Already on 'master'
Your branch is up to date with 'origin/master'.
$ git log --oneline --no-decorate -n 1
483657de323 aco: use mubuf helper in select_gs_copy_shader
$ grep -Fnr os_same_file_description src/
src/gallium/drivers/iris/iris_bufmgr.c:1552: int ret = os_same_file_description(drm_fd, bufmgr->fd);
src/gallium/winsys/amdgpu/drm/amdgpu_winsys.c:379: r = os_same_file_description(sws_iter->fd, ws->fd);
src/gallium/winsys/amdgpu/drm/amdgpu_winsys.c:392: os_log_message("amdgpu: os_same_file_description couldn't "
src/gallium/winsys/etnaviv/drm/etnaviv_drm_winsys.c:66: ret = os_same_file_description(fd1, fd2);
src/gallium/winsys/etnaviv/drm/etnaviv_drm_winsys.c:73: fprintf(stderr, "os_same_file_description couldn't determine if "
src/util/os_file.h:51:os_same_file_description(int fd1, int fd2);
src/util/os_file.c:189:os_same_file_description(int fd1, int fd2)
src/util/os_file.c:212:os_same_file_description(int fd1, int fd2)
src/mesa/drivers/dri/i965/brw_bufmgr.c:1638: int ret = os_same_file_description(drm_fd, bufmgr->fd);
Has anyone tested seccomp on i965/iris with Mesa >= 20.1.1?
What about adding !kcmp
to seccomp
if no arg_no3d
and a AMD-GPU is detected. no3d
comes before seccomp
in profiles.
Wouldn't it be simpler to skip detecting AMD GPU and allow kcmp
if there's no no3d
, or just always allow kcmp
? It can be added manually to profiles for extra hardening.
just always allow kcmp?
Since I know that kcmp
is used in chromiums ozone backend (wayland), what would be the drawback on this?
Maybe there could be an option in firejail.config to automatically append syscalls to the default seccomp
filter?
This way people could easily return to the current behaviour.
Over year and we don't even have a hotfix ...
Since not long ago (I unfortunately don't have exact dates or versions for when it happened, but I think it started with Firefox 72.0.2), Firefox hangs at startup under Firejail. This happens on two machines with AMD GPUs, but not on three others with Intel GPUs. All five systems are running up-to-date Gentoo Linux unstable.
Trying on a completely empty profile directory, Firefox gets a little bit through its startup:
And then hangs. The process tree in the sandbox looks like this:
And all threads in the GPU process are hung:
As are the ones in the main Firefox process:
I'm not going to be able to do any deeper debugging for the next couple of days, but if nobody else can reproduce it I'll start looking at older versions of Firefox and removing Firejail profile options this weekend.