Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Matt Turner <mattst88@g.o>
To: gentoo development <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] Access to DRM render nodes from portage sandbox?
Date: Wed, 09 May 2018 18:43:41
Message-Id: CAEdQ38GGKdYSrg+CgTk7C+-LRzC9vyGV2kz04StSUzGo0yXsHA@mail.gmail.com
In Reply to: Re: [gentoo-dev] Access to DRM render nodes from portage sandbox? by Alec Warner
1 On Wed, May 9, 2018 at 10:19 AM, Alec Warner <antarus@g.o> wrote:
2 > On Wed, May 9, 2018 at 12:34 PM, Matt Turner <mattst88@g.o> wrote:
3 >>
4 >> On Tue, May 8, 2018 at 11:51 PM, Dennis Schridde <devurandom@×××.net>
5 >> wrote:
6 >> > Hello!
7 >> >
8 >> > I see sandbox violations similar to "ACCESS DENIED: open_wr: /dev/dri/
9 >> > renderD128" pop up for more and more packages, probably since OpenCL
10 >> > becomes
11 >> > used more widely. Hence I would like to ask: Could we in Gentoo treat
12 >> > GPUs
13 >> > just like CPUs and allow any process to access render nodes (i.e. the
14 >> > GPUs
15 >> > compute capabilities via the specific interface the Linux kernel's DRM
16 >> > offers
17 >> > for that purpose) without sandbox restrictions?
18 >> >
19 >> > --Dennis
20 >> >
21 >> > See-Also: https://bugs.gentoo.org/654216
22 >>
23 >> This seems like a bad idea. With CPUs we've had decades to work out
24 >> how to isolate processes and prevent them from taking down the system.
25 >>
26 >> GPUs are not there yet. It's simple to trigger an unrecoverable GPU
27 >> hang and not much harder to turn it into a full system lock up.
28 >>
29 >>
30 >> This is not safe.
31 >>
32 >
33 > Is the sandbox considered a security boundary? Certainly in earlier
34 > (LD_PRELOAD based) implementation it was not.
35 > Instead it was intended to protect the build environment from leaks (e.g.
36 > accessing unwanted host state in the build env.)
37 >
38 > Sure it also in theory prevented build environments from writing to the
39 > host; but it didn't do a very secure job of it.
40
41 I don't know.
42
43 Irrespective to the answer to that question, it's my opinion that we
44 should not execute code via the package manager that has the potential
45 to bring down the whole system.

Replies

Subject Author
Re: [gentoo-dev] Access to DRM render nodes from portage sandbox? Matt Turner <mattst88@g.o>
Report Message
Find on MARC Find on Google Groups