1 |
On Wed, May 9, 2018 at 10:19 AM, Alec Warner <antarus@g.o> wrote: |
2 |
> On Wed, May 9, 2018 at 12:34 PM, Matt Turner <mattst88@g.o> wrote: |
3 |
>> |
4 |
>> On Tue, May 8, 2018 at 11:51 PM, Dennis Schridde <devurandom@×××.net> |
5 |
>> wrote: |
6 |
>> > Hello! |
7 |
>> > |
8 |
>> > I see sandbox violations similar to "ACCESS DENIED: open_wr: /dev/dri/ |
9 |
>> > renderD128" pop up for more and more packages, probably since OpenCL |
10 |
>> > becomes |
11 |
>> > used more widely. Hence I would like to ask: Could we in Gentoo treat |
12 |
>> > GPUs |
13 |
>> > just like CPUs and allow any process to access render nodes (i.e. the |
14 |
>> > GPUs |
15 |
>> > compute capabilities via the specific interface the Linux kernel's DRM |
16 |
>> > offers |
17 |
>> > for that purpose) without sandbox restrictions? |
18 |
>> > |
19 |
>> > --Dennis |
20 |
>> > |
21 |
>> > See-Also: https://bugs.gentoo.org/654216 |
22 |
>> |
23 |
>> This seems like a bad idea. With CPUs we've had decades to work out |
24 |
>> how to isolate processes and prevent them from taking down the system. |
25 |
>> |
26 |
>> GPUs are not there yet. It's simple to trigger an unrecoverable GPU |
27 |
>> hang and not much harder to turn it into a full system lock up. |
28 |
>> |
29 |
>> |
30 |
>> This is not safe. |
31 |
>> |
32 |
> |
33 |
> Is the sandbox considered a security boundary? Certainly in earlier |
34 |
> (LD_PRELOAD based) implementation it was not. |
35 |
> Instead it was intended to protect the build environment from leaks (e.g. |
36 |
> accessing unwanted host state in the build env.) |
37 |
> |
38 |
> Sure it also in theory prevented build environments from writing to the |
39 |
> host; but it didn't do a very secure job of it. |
40 |
|
41 |
I don't know. |
42 |
|
43 |
Irrespective to the answer to that question, it's my opinion that we |
44 |
should not execute code via the package manager that has the potential |
45 |
to bring down the whole system. |