search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.73k stars 561 forks source link

Firefox hardware acceleration? #631

Closed haasn closed 8 years ago

haasn commented 8 years ago

This is mostly a question.

Is it by design that firejail completely disables firefox hardware acceleration? In about:support I just get this:

Adapter Description: GLXtest process failed (exited with status 1): X error occurred in GLX probe, error_code=2, request_code=153, minor_code=3

I slowly and painstakingly bisected the firefox profile and found out that to get hardware acceleration to work I had to disable all four of these, as each one in isolation was enough to trigger the breakage:

firefox.profile

#seccomp
#protocol unix,inet,inet6,netlink
...
#nonewprivs
#noroot

I'm aware that exposing firefox to a proprietary graphics adapter (nvidia blob) is basically the equivalent of giving anybody on the internet root access to your system, so I'm guessing this is by design?

Even if it's intentional, it might be worth adding a comment or something at least, so users who don't want to suffer through a slow, stuttery and laggy firefox know what to disable and what risk they put themselves to in doing so. Personally, I've gotten used to firefox being very slow so it's not a huge deal.

netblue30 commented 8 years ago

No, this is not true. On my setup (AMD A10 with a Radeon chipset integrated) it is detected fine:

Adapter Description: X.Org -- Gallium 0.4 on AMD KAVERI

nonewprivs gives us a clue: probably your graphics stack uses a SUID binary to bring up the driver. All 4 profile commands you listed are killing SUID executables. What card do you have?

haasn commented 8 years ago

It's an NVIDIA GTX 970 with the proprietary drivers (version 367.27). The packages contents are as follows:

/etc
/etc/OpenCL
/etc/OpenCL/vendors
/etc/OpenCL/vendors/nvidia.icd
/etc/X11
/etc/X11/xinit
/etc/X11/xinit/xinitrc.d
/etc/X11/xinit/xinitrc.d/95-nvidia-settings
/etc/conf.d
/etc/conf.d/nvidia-persistenced
/etc/init.d
/etc/init.d/nvidia-persistenced
/etc/init.d/nvidia-smi
/etc/modprobe.d
/etc/modprobe.d/nvidia-rmmod.conf
/etc/modprobe.d/nvidia.conf
/etc/nvidia
/etc/nvidia/nvidia-application-profiles-rc
/etc/vulkan
/etc/vulkan/icd.d
/etc/vulkan/icd.d/nvidia_icd.json
/lib
/lib/modules
/lib/modules/4.5.7-hardened-r7-gnu
/lib/modules/4.5.7-hardened-r7-gnu/video
/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia-drm.ko
/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia-modeset.ko
/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia-uvm.ko
/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia.ko
/lib/udev
/lib/udev/nvidia-udev.sh
/lib/udev/rules.d
/lib/udev/rules.d/99-nvidia.rules
/opt
/opt/bin
/opt/bin/nvidia-cuda-mps-control
/opt/bin/nvidia-cuda-mps-server
/opt/bin/nvidia-debugdump
/opt/bin/nvidia-modprobe
/opt/bin/nvidia-persistenced
/opt/bin/nvidia-smi
/opt/bin/nvidia-xconfig
/usr
/usr/bin
/usr/bin/nvidia-bug-report.sh
/usr/bin/nvidia-modprobe
/usr/bin/nvidia-settings
/usr/lib
/usr/lib/debug
/usr/lib/debug/.build-id
/usr/lib/debug/.build-id/04
/usr/lib/debug/.build-id/04/8819431364a96efe86a30661659ddd6985f9fe
/usr/lib/debug/.build-id/04/8819431364a96efe86a30661659ddd6985f9fe.debug
/usr/lib/debug/.build-id/7a
/usr/lib/debug/.build-id/7a/5376ee87107cd96d3d8e4824f50b7152663224
/usr/lib/debug/.build-id/7a/5376ee87107cd96d3d8e4824f50b7152663224.debug
/usr/lib/debug/.build-id/bf
/usr/lib/debug/.build-id/bf/055172cb4ce68f974783c9f42a18af410c5058
/usr/lib/debug/.build-id/bf/055172cb4ce68f974783c9f42a18af410c5058.debug
/usr/lib/debug/.build-id/d1
/usr/lib/debug/.build-id/d1/5aa143aa84a7a3584679d025f0d7ab75ae48e4
/usr/lib/debug/.build-id/d1/5aa143aa84a7a3584679d025f0d7ab75ae48e4.debug
/usr/lib/debug/lib
/usr/lib/debug/lib/modules
/usr/lib/debug/lib/modules/4.5.7-hardened-r7-gnu
/usr/lib/debug/lib/modules/4.5.7-hardened-r7-gnu/video
/usr/lib/debug/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia-drm.ko.debug
/usr/lib/debug/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia-modeset.ko.debug
/usr/lib/debug/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia-uvm.ko.debug
/usr/lib/debug/lib/modules/4.5.7-hardened-r7-gnu/video/nvidia.ko.debug
/usr/lib/debug/usr
/usr/lib/debug/usr/bin
/usr/lib/debug/usr/bin/nvidia-settings.debug
/usr/lib/debug/usr/lib64
/usr/lib/debug/usr/lib64/libnvidia-gtk2.so.367.27.debug
/usr/lib/debug/usr/lib64/libnvidia-gtk3.so.367.27.debug
/usr/lib32
/usr/lib32/OpenCL
/usr/lib32/OpenCL/vendors
/usr/lib32/OpenCL/vendors/nvidia
/usr/lib32/OpenCL/vendors/nvidia/libOpenCL.so
/usr/lib32/OpenCL/vendors/nvidia/libOpenCL.so.1
/usr/lib32/OpenCL/vendors/nvidia/libOpenCL.so.1.0.0
/usr/lib32/libcuda.so
/usr/lib32/libcuda.so.1
/usr/lib32/libcuda.so.367.27
/usr/lib32/libnvcuvid.so
/usr/lib32/libnvcuvid.so.1
/usr/lib32/libnvcuvid.so.367.27
/usr/lib32/libnvidia-compiler.so
/usr/lib32/libnvidia-compiler.so.367.27
/usr/lib32/libnvidia-eglcore.so
/usr/lib32/libnvidia-eglcore.so.367.27
/usr/lib32/libnvidia-encode.so
/usr/lib32/libnvidia-encode.so.1
/usr/lib32/libnvidia-encode.so.367.27
/usr/lib32/libnvidia-fatbinaryloader.so
/usr/lib32/libnvidia-fatbinaryloader.so.367.27
/usr/lib32/libnvidia-fbc.so
/usr/lib32/libnvidia-fbc.so.1
/usr/lib32/libnvidia-fbc.so.367.27
/usr/lib32/libnvidia-glcore.so
/usr/lib32/libnvidia-glcore.so.367.27
/usr/lib32/libnvidia-glsi.so
/usr/lib32/libnvidia-glsi.so.367.27
/usr/lib32/libnvidia-ifr.so
/usr/lib32/libnvidia-ifr.so.1
/usr/lib32/libnvidia-ifr.so.367.27
/usr/lib32/libnvidia-ml.so
/usr/lib32/libnvidia-ml.so.1
/usr/lib32/libnvidia-ml.so.367.27
/usr/lib32/libnvidia-opencl.so
/usr/lib32/libnvidia-opencl.so.1
/usr/lib32/libnvidia-opencl.so.367.27
/usr/lib32/libnvidia-ptxjitcompiler.so
/usr/lib32/libnvidia-ptxjitcompiler.so.367.27
/usr/lib32/libnvidia-tls.so
/usr/lib32/libnvidia-tls.so.367.27
/usr/lib32/libvdpau_nvidia.so
/usr/lib32/libvdpau_nvidia.so.1
/usr/lib32/libvdpau_nvidia.so.367.27
/usr/lib32/opengl
/usr/lib32/opengl/nvidia
/usr/lib32/opengl/nvidia/lib
/usr/lib32/opengl/nvidia/lib/libEGL.so
/usr/lib32/opengl/nvidia/lib/libEGL.so.1
/usr/lib32/opengl/nvidia/lib/libEGL_nvidia.so
/usr/lib32/opengl/nvidia/lib/libEGL_nvidia.so.0
/usr/lib32/opengl/nvidia/lib/libEGL_nvidia.so.367.27
/usr/lib32/opengl/nvidia/lib/libGL.so
/usr/lib32/opengl/nvidia/lib/libGL.so.1
/usr/lib32/opengl/nvidia/lib/libGL.so.1.0.0
/usr/lib32/opengl/nvidia/lib/libGLESv1_CM.so
/usr/lib32/opengl/nvidia/lib/libGLESv1_CM.so.1
/usr/lib32/opengl/nvidia/lib/libGLESv1_CM_nvidia.so
/usr/lib32/opengl/nvidia/lib/libGLESv1_CM_nvidia.so.1
/usr/lib32/opengl/nvidia/lib/libGLESv1_CM_nvidia.so.367.27
/usr/lib32/opengl/nvidia/lib/libGLESv2.so
/usr/lib32/opengl/nvidia/lib/libGLESv2.so.2
/usr/lib32/opengl/nvidia/lib/libGLESv2_nvidia.so
/usr/lib32/opengl/nvidia/lib/libGLESv2_nvidia.so.2
/usr/lib32/opengl/nvidia/lib/libGLESv2_nvidia.so.367.27
/usr/lib32/opengl/nvidia/lib/libGLX.so
/usr/lib32/opengl/nvidia/lib/libGLX.so.0
/usr/lib32/opengl/nvidia/lib/libGLX_nvidia.so
/usr/lib32/opengl/nvidia/lib/libGLX_nvidia.so.0
/usr/lib32/opengl/nvidia/lib/libGLX_nvidia.so.367.27
/usr/lib32/opengl/nvidia/lib/libGLdispatch.so
/usr/lib32/opengl/nvidia/lib/libGLdispatch.so.0
/usr/lib32/opengl/nvidia/lib/libOpenGL.so
/usr/lib32/opengl/nvidia/lib/libOpenGL.so.0
/usr/lib64
/usr/lib64/OpenCL
/usr/lib64/OpenCL/vendors
/usr/lib64/OpenCL/vendors/nvidia
/usr/lib64/OpenCL/vendors/nvidia/libOpenCL.so
/usr/lib64/OpenCL/vendors/nvidia/libOpenCL.so.1
/usr/lib64/OpenCL/vendors/nvidia/libOpenCL.so.1.0.0
/usr/lib64/libcuda.so
/usr/lib64/libcuda.so.1
/usr/lib64/libcuda.so.367.27
/usr/lib64/libnvcuvid.so
/usr/lib64/libnvcuvid.so.1
/usr/lib64/libnvcuvid.so.367.27
/usr/lib64/libnvidia-cfg.so
/usr/lib64/libnvidia-cfg.so.1
/usr/lib64/libnvidia-cfg.so.367.27
/usr/lib64/libnvidia-compiler.so
/usr/lib64/libnvidia-compiler.so.367.27
/usr/lib64/libnvidia-eglcore.so
/usr/lib64/libnvidia-eglcore.so.367.27
/usr/lib64/libnvidia-encode.so
/usr/lib64/libnvidia-encode.so.1
/usr/lib64/libnvidia-encode.so.367.27
/usr/lib64/libnvidia-fatbinaryloader.so
/usr/lib64/libnvidia-fatbinaryloader.so.367.27
/usr/lib64/libnvidia-fbc.so
/usr/lib64/libnvidia-fbc.so.1
/usr/lib64/libnvidia-fbc.so.367.27
/usr/lib64/libnvidia-glcore.so
/usr/lib64/libnvidia-glcore.so.367.27
/usr/lib64/libnvidia-glsi.so
/usr/lib64/libnvidia-glsi.so.367.27
/usr/lib64/libnvidia-gtk2.so.367.27
/usr/lib64/libnvidia-gtk3.so.367.27
/usr/lib64/libnvidia-ifr.so
/usr/lib64/libnvidia-ifr.so.1
/usr/lib64/libnvidia-ifr.so.367.27
/usr/lib64/libnvidia-ml.so
/usr/lib64/libnvidia-ml.so.1
/usr/lib64/libnvidia-ml.so.367.27
/usr/lib64/libnvidia-opencl.so
/usr/lib64/libnvidia-opencl.so.1
/usr/lib64/libnvidia-opencl.so.367.27
/usr/lib64/libnvidia-ptxjitcompiler.so
/usr/lib64/libnvidia-ptxjitcompiler.so.367.27
/usr/lib64/libnvidia-tls.so
/usr/lib64/libnvidia-tls.so.367.27
/usr/lib64/libnvidia-wfb.so
/usr/lib64/libnvidia-wfb.so.1
/usr/lib64/libnvidia-wfb.so.367.27
/usr/lib64/libvdpau_nvidia.so
/usr/lib64/libvdpau_nvidia.so.1
/usr/lib64/libvdpau_nvidia.so.367.27
/usr/lib64/opengl
/usr/lib64/opengl/nvidia
/usr/lib64/opengl/nvidia/extensions
/usr/lib64/opengl/nvidia/extensions/libglx.so
/usr/lib64/opengl/nvidia/extensions/libglx.so.367.27
/usr/lib64/opengl/nvidia/lib
/usr/lib64/opengl/nvidia/lib/libEGL.so
/usr/lib64/opengl/nvidia/lib/libEGL.so.1
/usr/lib64/opengl/nvidia/lib/libEGL_nvidia.so
/usr/lib64/opengl/nvidia/lib/libEGL_nvidia.so.0
/usr/lib64/opengl/nvidia/lib/libEGL_nvidia.so.367.27
/usr/lib64/opengl/nvidia/lib/libGL.so
/usr/lib64/opengl/nvidia/lib/libGL.so.1
/usr/lib64/opengl/nvidia/lib/libGL.so.1.0.0
/usr/lib64/opengl/nvidia/lib/libGLESv1_CM.so
/usr/lib64/opengl/nvidia/lib/libGLESv1_CM.so.1
/usr/lib64/opengl/nvidia/lib/libGLESv1_CM_nvidia.so
/usr/lib64/opengl/nvidia/lib/libGLESv1_CM_nvidia.so.1
/usr/lib64/opengl/nvidia/lib/libGLESv1_CM_nvidia.so.367.27
/usr/lib64/opengl/nvidia/lib/libGLESv2.so
/usr/lib64/opengl/nvidia/lib/libGLESv2.so.2
/usr/lib64/opengl/nvidia/lib/libGLESv2_nvidia.so
/usr/lib64/opengl/nvidia/lib/libGLESv2_nvidia.so.2
/usr/lib64/opengl/nvidia/lib/libGLESv2_nvidia.so.367.27
/usr/lib64/opengl/nvidia/lib/libGLX.so
/usr/lib64/opengl/nvidia/lib/libGLX.so.0
/usr/lib64/opengl/nvidia/lib/libGLX_nvidia.so
/usr/lib64/opengl/nvidia/lib/libGLX_nvidia.so.0
/usr/lib64/opengl/nvidia/lib/libGLX_nvidia.so.367.27
/usr/lib64/opengl/nvidia/lib/libGLdispatch.so
/usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0
/usr/lib64/opengl/nvidia/lib/libOpenGL.so
/usr/lib64/opengl/nvidia/lib/libOpenGL.so.0
/usr/lib64/xorg
/usr/lib64/xorg/modules
/usr/lib64/xorg/modules/drivers
/usr/lib64/xorg/modules/drivers/nvidia_drv.so
/usr/share
/usr/share/X11
/usr/share/X11/xorg.conf.d
/usr/share/X11/xorg.conf.d/50-nvidia-drm-outputclass.conf
/usr/share/applications
/usr/share/applications/nvidia-settings.desktop
/usr/share/doc
/usr/share/doc/nvidia-drivers-367.27
/usr/share/doc/nvidia-drivers-367.27/NVIDIA_Changelog.bz2
/usr/share/doc/nvidia-drivers-367.27/README.bz2
/usr/share/doc/nvidia-drivers-367.27/README.gentoo.bz2
/usr/share/doc/nvidia-drivers-367.27/html
/usr/share/doc/nvidia-drivers-367.27/html/acknowledgements.html
/usr/share/doc/nvidia-drivers-367.27/html/addressingcapabilities.html
/usr/share/doc/nvidia-drivers-367.27/html/addtlresources.html
/usr/share/doc/nvidia-drivers-367.27/html/appendices.html
/usr/share/doc/nvidia-drivers-367.27/html/audiosupport.html
/usr/share/doc/nvidia-drivers-367.27/html/commonproblems.html
/usr/share/doc/nvidia-drivers-367.27/html/configlaptop.html
/usr/share/doc/nvidia-drivers-367.27/html/configmultxscreens.html
/usr/share/doc/nvidia-drivers-367.27/html/configtwinview.html
/usr/share/doc/nvidia-drivers-367.27/html/depth30.html
/usr/share/doc/nvidia-drivers-367.27/html/displaydevicenames.html
/usr/share/doc/nvidia-drivers-367.27/html/dma_issues.html
/usr/share/doc/nvidia-drivers-367.27/html/dpi.html
/usr/share/doc/nvidia-drivers-367.27/html/editxconfig.html
/usr/share/doc/nvidia-drivers-367.27/html/faq.html
/usr/share/doc/nvidia-drivers-367.27/html/flippingubb.html
/usr/share/doc/nvidia-drivers-367.27/html/framelock.html
/usr/share/doc/nvidia-drivers-367.27/html/glxsupport.html
/usr/share/doc/nvidia-drivers-367.27/html/gpunames.html
/usr/share/doc/nvidia-drivers-367.27/html/i2c.html
/usr/share/doc/nvidia-drivers-367.27/html/index.html
/usr/share/doc/nvidia-drivers-367.27/html/installationandconfiguration.html
/usr/share/doc/nvidia-drivers-367.27/html/installdriver.html
/usr/share/doc/nvidia-drivers-367.27/html/installedcomponents.html
/usr/share/doc/nvidia-drivers-367.27/html/introduction.html
/usr/share/doc/nvidia-drivers-367.27/html/kms.html
/usr/share/doc/nvidia-drivers-367.27/html/knownissues.html
/usr/share/doc/nvidia-drivers-367.27/html/minimumrequirements.html
/usr/share/doc/nvidia-drivers-367.27/html/newusertips.html
/usr/share/doc/nvidia-drivers-367.27/html/nvidia-debugdump.html
/usr/share/doc/nvidia-drivers-367.27/html/nvidia-ml.html
/usr/share/doc/nvidia-drivers-367.27/html/nvidia-persistenced.html
/usr/share/doc/nvidia-drivers-367.27/html/nvidia-smi.html
/usr/share/doc/nvidia-drivers-367.27/html/nvidiasettings.html
/usr/share/doc/nvidia-drivers-367.27/html/openglenvvariables.html
/usr/share/doc/nvidia-drivers-367.27/html/optimus.html
/usr/share/doc/nvidia-drivers-367.27/html/powermanagement.html
/usr/share/doc/nvidia-drivers-367.27/html/procinterface.html
/usr/share/doc/nvidia-drivers-367.27/html/profiles.html
/usr/share/doc/nvidia-drivers-367.27/html/programmingmodes.html
/usr/share/doc/nvidia-drivers-367.27/html/randr14.html
/usr/share/doc/nvidia-drivers-367.27/html/sdi.html
/usr/share/doc/nvidia-drivers-367.27/html/selectdriver.html
/usr/share/doc/nvidia-drivers-367.27/html/sli.html
/usr/share/doc/nvidia-drivers-367.27/html/supportedchips.html
/usr/share/doc/nvidia-drivers-367.27/html/vdpausupport.html
/usr/share/doc/nvidia-drivers-367.27/html/xcompositeextension.html
/usr/share/doc/nvidia-drivers-367.27/html/xconfigoptions.html
/usr/share/doc/nvidia-drivers-367.27/html/xineramaglx.html
/usr/share/doc/nvidia-drivers-367.27/html/xrandrextension.html
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/nvidia-cuda-mps-control.1.bz2
/usr/share/man/man1/nvidia-modprobe.1.bz2
/usr/share/man/man1/nvidia-persistenced.1.bz2
/usr/share/man/man1/nvidia-settings.1.bz2
/usr/share/man/man1/nvidia-smi.1.bz2
/usr/share/man/man1/nvidia-xconfig.1.bz2
/usr/share/nvidia
/usr/share/nvidia/nvidia-application-profiles-367.27-key-documentation
/usr/share/pixmaps
/usr/share/pixmaps/nvidia-settings.png

Of the libraries in /usr/lib64/ that I checked, none were setuid, so I'm not sure what exact path firefox is trying to traverse here. That said, I'm using a PaX kernel and programs that wish to use the nvidia drivers do require MPROTECT to be disabled, since the OpenGL drivers require an executable stack for reasons unknown to me.

netblue30 commented 8 years ago

Let's check what programs are started by firefox:

Close all firefox windows, open a new terminal, and as user root run:

# firemon | grep exec

After this, start firefox.

haasn commented 8 years ago

I don't get any output from that. I don't seem to get any output from firemon at all, except when starting it with a jail already running (I get its process printed to stdout and then nothing).

Even if I start a program inside firejail and then manually execute other binaries (e.g. /exec -n ls in weechat), I get no output from firemon. Is that normal?

I did have to build and load the connector module for it to run at all, maybe I'm missing some other kernel configuration.

Edit: I had a look at strace firemon and all it seems to be doing is this in an infinite loop:

socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
bind(3, {sa_family=AF_NETLINK, pid=7808, groups=00000001}, 12) = 0
writev(3, [{"(\0\0\0\3\0\0\0\0\0\0\0\200\36\0\0", 16}, {"\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0", 20}, {"\1\0\0\0", 4}], 3) = 40
select(4, [3], NULL, NULL, {30, 0})     = 0 (Timeout)
select(4, [3], NULL, NULL, {30, 0}
...

Note: Another thing I could do is strace the exec calls of firefox itself, or turn on exec logging in grsec, or use auditd or something. But I'm probably not going to attempt the latter two soon.

haasn commented 8 years ago

I checked strace -e trace=process /usr/bin/firefox and it performs no execve() calls whatsoever.

netblue30 commented 8 years ago

grep exec should report at least firefox starting in the sandbox, something like this:

15:29:42 exec 26385 (netblue) firejail /usr/lib/firefox-esr/firefox-esr 
15:29:42 exec 26388 (netblue) /bin/bash -c '/usr/lib/firefox-esr/firefox-esr'  
15:29:42 exec 26388 (netblue) /usr/lib/firefox-esr/firefox-esr

Start firefox as "firejail firefox"

I checked strace -e trace=process /usr/bin/firefox

The environment in the jail is different, they might be starting some other programs.