1 |
On 09/05/18 18:10, Mike Gilbert wrote: |
2 |
> On Wed, May 9, 2018 at 12:34 PM, Matt Turner <mattst88@g.o> wrote: |
3 |
>> On Tue, May 8, 2018 at 11:51 PM, Dennis Schridde <devurandom@×××.net> wrote: |
4 |
>>> Hello! |
5 |
>>> |
6 |
>>> I see sandbox violations similar to "ACCESS DENIED: open_wr: /dev/dri/ |
7 |
>>> renderD128" pop up for more and more packages, probably since OpenCL becomes |
8 |
>>> used more widely. Hence I would like to ask: Could we in Gentoo treat GPUs |
9 |
>>> just like CPUs and allow any process to access render nodes (i.e. the GPUs |
10 |
>>> compute capabilities via the specific interface the Linux kernel's DRM offers |
11 |
>>> for that purpose) without sandbox restrictions? |
12 |
>>> |
13 |
>>> --Dennis |
14 |
>>> |
15 |
>>> See-Also: https://bugs.gentoo.org/654216 |
16 |
>> This seems like a bad idea. With CPUs we've had decades to work out |
17 |
>> how to isolate processes and prevent them from taking down the system. |
18 |
>> |
19 |
>> GPUs are not there yet. It's simple to trigger an unrecoverable GPU |
20 |
>> hang and not much harder to turn it into a full system lock up. |
21 |
>> |
22 |
>> This is not safe. |
23 |
>> |
24 |
> It's worth noting that the default rules shipped with udev assign mode |
25 |
> 0666 to the /dev/dri/renderD* device nodes. So, outside of a sanbox |
26 |
> environment, any user may access these devices. |
27 |
> |
28 |
> This was merged as part of this PR: https://github.com/systemd/systemd/pull/7112 |
29 |
> |
30 |
How does that pan out for other init systems? |