Open gedec-coin-one opened 4 years ago
Might be similar to #2447. That was never actually cleared-up.
Without firejail, when I running mpv, it will load nvidia_uvm module automatically (if it not loaded yet),
IMO it's not mpv but the linux kernel that loads the nvidia_uvm module. In any case, the mpv profile uses private-bin env,mpv,python*,youtube-dl
, which might be too restrictive in this context. I suggest ignoring that too. Another possibility (in combination with what you already ignored) is noroot
. Did you try the --build/--build= options yet?
Might be similar to #2447.
I tried --noprofile
too, not work.
it's not mpv but the linux kernel that loads the nvidia_uvm module
English is not my first language, I meant mpv triggered something then made kernel loads that.
I tried ignore private-bin env,mpv,python*,youtube-dl
and ignore noroot
,each then both,
and the --build/--build=
options, still not work.
here is the profile --build=
option generated:
############################################
# /usr/bin/mpv profile
############################################
# Persistent global definitions
# include /etc/firejail/globals.local
### basic blacklisting
include /etc/firejail/disable-common.inc
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
# include /etc/firejail/disable-programs.inc
### home directory whitelisting
whitelist ~/.icons/default
whitelist ~/.icons/default/cursors
whitelist ~/.cursors/default
whitelist ~/.cursors/default/cursors
whitelist ~/.icons/breeze_cursors
whitelist ~/.icons/breeze_cursors/cursors
whitelist ~/.cursors/breeze_cursors
whitelist ~/.cursors/breeze_cursors/cursors
whitelist ~/.Xdefaults-Phantom-Pro
whitelist ~/.pulse-cookie
whitelist ~/.rubberband.wisdom.d
whitelist ~/.XCompose
whitelist ~/.fonts
whitelist ~/.local/share/fonts
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d
whitelist ~/.config/fontconfig
whitelist ~/Videos
whitelist ~/.config/mpv
whitelist ~/.nv
include /etc/firejail/whitelist-common.inc
### filesystem
# private-tmp
# File accessed in /tmp directory:
# /tmp/firejail-strace.7wIibg,
# private-dev
# This is the list of devices accessed (on top of regular private-dev devices:
# /dev/dri/card0,/dev/shm/cuda_injection_path_shm,/dev/dri/renderD129,
private-etc machine-id,libva.conf,fonts,mpv,ssl,nvidia,
blacklist /var
private-bin xset,dbus-send,which,sed,grep,mv,bash,mpv,
# private-lib
whitelist /usr/share/icons
whitelist /usr/share/pixmaps
whitelist /usr/share/cursors
whitelist /usr/share/glvnd
whitelist /usr/share/X11
whitelist /usr/share/fonts
whitelist /usr/share/nvidia
### security filters
caps.drop all
nonewprivs
seccomp
# seccomp.keep futex,poll,ioctl,wait4,restart_syscall,getpid,read,write,stat,recvmsg,openat,munmap,mmap,close,sched_yield,lseek,mprotect,execve,clone,writev,sendto,access,getdents64,fstat,mremap,rmdir,unlink,recvfrom,fstatfs,sendmsg,rt_sigprocmask,readlink,rt_sigaction,brk,madvise,fcntl,getpgrp,getrandom,geteuid,set_robust_list,prctl,getegid,getuid,sched_setattr,getgid,socket,connect,fadvise64,shutdown,mkdir,splice,eventfd2,arch_prctl,pipe,dup2,rt_sigreturn,socketpair,getpeername,getsockname,uname,set_tid_address,dup,prlimit64,lstat,setsockopt,statfs,clock_getres,getresuid,getresgid,sigaltstack,fallocate,pipe2,renameat2,ftruncate,newfstatat,umask,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,getsockopt,sysinfo,getppid,gettid,sched_getattr
# 84 syscalls total
# Probably you will need to add more syscalls to seccomp.keep. Look for
# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
# running your sandbox.
### network
protocol unix,
net none
### environment
shell none
Thanks for posting the --build output. Did that actually work to run mpv with nvdec?
Thanks for posting the --build output. Did that actually work to run mpv with nvdec?
no, it's still not work unless load nvidia_uvm module manually.
After a decent portion of sleep I think this is probably seccomp related. Can you try the seccomp.keep list seen in your output from the --build command instead of seccomp?
#seccomp
seccomp.keep futex,poll,ioctl,wait4,restart_syscall,getpid,read,write,stat,recvmsg,openat,munmap,mmap,close,sched_yield,lseek,mprotect,execve,clone,writev,sendto,access,getdents64,fstat,mremap,rmdir,unlink,recvfrom,fstatfs,sendmsg,rt_sigprocmask,readlink,rt_sigaction,brk,madvise,fcntl,getpgrp,getrandom,geteuid,set_robust_list,prctl,getegid,getuid,sched_setattr,getgid,socket,connect,fadvise64,shutdown,mkdir,splice,eventfd2,arch_prctl,pipe,dup2,rt_sigreturn,socketpair,getpeername,getsockname,uname,set_tid_address,dup,prlimit64,lstat,setsockopt,statfs,clock_getres,getresuid,getresgid,sigaltstack,fallocate,pipe2,renameat2,ftruncate,newfstatat,umask,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,getsockopt,sysinfo,getppid,gettid,sched_getattr
@glitsj16 with --noprofile
, there are no seccomp filters.
@gedec-coin-one have you (or your distro) set force-nonewprivs (or anythin else) in firejail.config?
@rusty-snake Right. I guess I need more/better sleep heh. Too bad I don't have hardware to fully test mpv with nvdec. Our profile seems to cause issues with that specifically, cfr. #2447.
have you (or your distro) set force-nonewprivs (or anythin else) in firejail.config?
I'm using Gentoo right now, seems force-nonewprivs is disabled by default.
firejail.config
# This is Firejail system-wide configuration file. The file contains
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.
# Enable AppArmor functionality, default enabled.
# apparmor yes
# Number of ARP probes sent when assigning an IP address for --net option,
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
# timeout is implemented for each probe. Increase this number to 4 if your
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
# between 1 and 30.
# arp-probes 2
# Enable or disable bind support, default enabled.
# bind yes
# Allow (DRM) execution in browsers, default disabled.
# browser-allow-drm no
# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes
# Enable or disable cgroup support, default enabled.
# cgroup yes
# Enable or disable chroot support, default enabled.
# chroot yes
# Enable or disable dbus handling by --nodbus flag, default enabled.
# dbus yes
# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled. Unlike --disable-mnt profile option this
# cannot be overridden by --noblacklist or --ignore.
# disable-mnt no
# Set the limit for file copy in several --private-* options. The size is set
# in megabytes. By default we allow up to 500MB.
# Note: the files are copied in RAM.
# file-copy-limit 500
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Enable Firejail green prompt in terminal, default disabled
# firejail-prompt no
# Follow symlink as user. While using --whitelist feature,
# symlinks pointing outside home directory are followed only
# if both the link and the real file are owned by the user.
# Enabled by default
# follow-symlink-as-user yes
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Allow sandbox joining as a regular user, default enabled.
# root user can always join sandboxes.
# join yes
# Enable or disable sandbox name change, default enabled.
# name-change yes
# Enable or disable networking features, default enabled.
# network yes
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable or disable private-cache feature, default enabled
# private-cache yes
# Enable or disable private-lib feature, default enabled
# private-lib yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable seccomp support, default enabled.
# seccomp yes
# Enable or disable user namespace support, default enabled.
# userns yes
# Enable or disable whitelisting support, default enabled.
# whitelist yes
# Enable or disable X11 sandboxing support, default enabled.
# x11 yes
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Xephyr command extra parameters. None by default; these are examples.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale
# Xpra server command extra parameters. None by default; this is an example.
# xpra-extra-params --dpi 96
# Enable this option if you have a version of Xpra that supports --attach switch
# for start command, default disabled.
# xpra-attach no
# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
# color depth; use 24 unless you know exactly what you're doing.
# xvfb-screen 640x480x24
# xvfb-screen 800x600x24
# xvfb-screen 1024x768x24
# xvfb-screen 1280x1024x24
# Xvfb command extra parameters. None by default; this is an example.
# xvfb-extra-params -pixdepths 8 24 32
I should weigh in here since I created #2447, found the problem, and found a solution that works for me (I forgot to return to #2447 and post this solution earlier).
The issue is that the nvidia-uvm
device node is not created in /dev
when mpv
is run via firejail, which in turn prevents CUDA/NVDEC from working.
To solve this without any changes to firejail, you can just use the script nvidia provides to setup the device nodes manually on startup: https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications. Must be run as root.
Now, the setting up of these device nodes is supposed to be the job of nvidia-modprobe
from what I can tell, but it doesn't work properly for some reason on some machines (maybe related to it being a setuid binary), so in these cases I believe firejail is preventing the (kernel's?) automatic setup of any missing device nodes when a program like mpv
is called from within the firejail container. You can take a closer look at nvidia's script above to see exactly what permissions are needed to set up these nodes and what internal firejail restrictions may be preventing this process.
Hope this helps get to the bottom of this tricky issue.
@Ryujinra Thank you very much for providing this vital piece of information here. Chances are that we can work with this missing piece of the mpv/nvdec puzzle. I just added a comment to #2447 so users can find this thread more easily. Appreciated, stay healthy!
@gedec-coin-one can you try firejail --noprofile --noblacklist=/sys/module mpv
@gedec-coin-one can you try
firejail --noprofile --noblacklist=/sys/module mpv
still not work
[ffmpeg] AVHWDeviceContext: cu->cuInit(0) failed -> CUDA_ERROR_UNKNOWN: unknown error
seems
nvdec
neednvidia_uvm
kernel module loadded to work. Without firejail, when I running mpv, it will loadnvidia_uvm
module automatically (if it not loaded yet), but inside firejail, it not gonna work, sonvdec
can't work either.temporary workaround: mannually load
nvidia_uvm
module, eg.sudo modprobe nvidia_uvm
.FYI: firejail version: 0.9.62 kernel version: 5.6.3 nvidia-drivers version: 440.82 my current mpv.local file: