kmk3
commented
10 months ago I have 4 gpus. I wanna use the memory of one of them for firefox. firejail still allows access to GPUs I've blacklisted
firejail --blacklist=/sys/module/amdgpu/ --blacklist=/dev/nvidia0 firefox
Programs usually do not access kernel modules directly (and firejail already blacklists /sys/module by default anyway), so the first blacklist is unlikely to do anything.
I don't know about nvidia, but AMD cards are usually in /dev/dri.
Does it work if you blacklist paths in /dev/dri?
Description
I have 4 gpus. I wanna use the memory of one of them for firefox. firejail still allows access to GPUs I've blacklisted
Steps to Reproduce
firejail --blacklist=/sys/module/amdgpu/ --blacklist=/dev/nvidia0 firefoxExpected behavior
amdgpu and the nvidia0 card is not visible to firefox
Actual behavior
firefox sees all 4 of my gpus and chooses the amdgpu, thats running Xorg
Behavior without a profile
nothing changed
Additional context
the list of GPUs firefox discovers is PCI candidate since firefox's code is still in the era of "no one needs more than 1 gpu", there is no way to set the gpu it also ignores any combination of these env vars:
gpu processing offloading works fine
Environment
Checklist
/usr/bin/vlc) "fixes" it).https://github.com/netblue30/firejail/issues/1139)browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.--profile=PROFILENAMEto set the right profile. (Only relevant for AppImages)Log
log
```console 2024-01-07 04:14:26 allan@S5:~$ firejail --blacklist=/sys/module/amdgpu/ --blacklist=/dev/nvidia0 firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3003657, child pid 3003661 Warning: not remounting /var/lib/docker/overlay2/355faacadd130ed0ef2ff243bd8cf3c23abcac7d61abc8d85a4c43b219e36366/merged Warning: not remounting /var/lib/docker/overlay2/355faacadd130ed0ef2ff243bd8cf3c23abcac7d61abc8d85a4c43b219e36366/merged Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Child process initialized in 786.96 ms ** (process:3003658): WARNING **: 04:20:37.839: Error writing credentials to socket: Error sending message: Broken pipe [GFX1-]: glxtest: ManageChildProcess failed [GFX1-]: glxtest: libEGL initialize failed [GFX1-]: glxtest: X error, error_code=2, request_code=152, minor_code=3 [GFX1-]: More than 1 GPU vendor detected via PCI, cannot deduce vendor [GFX1-]: PCI candidate 0x10de/0x2182 [GFX1-]: PCI candidate 0x10de/0x2204 [GFX1-]: PCI candidate 0x1002/0x67df [GFX1-]: PCI candidate 0x1a03/0x2000 ```