'D7616: Don't dissallow open with write flag syscall on NVIDIA'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-panel-devel
Subject:    D7616: Don't dissallow open with write flag syscall on NVIDIA
From:       Martin_Flöser <noreply () phabricator ! kde ! org>
Date:       2017-08-30 16:50:34
Message-ID: differential-rev-PHID-DREV-tortr3clx3soo5ooazje-req () phabricator ! kde ! org
[Download RAW message or body]

graesslin created this revision.
Restricted Application added a project: Plasma.
Restricted Application added a subscriber: plasma-devel.

REVISION SUMMARY
  The latest NVIDIA driver crashes the greeter due to our seccomp enabled
  sandbox being too restrictive. The driver is now opening files for
  writing after our dummy context got created and this causes a crash. In
  order to provide our users a working system again we better disable the
  seccomp rule for NVIDIA users for the time being.
  
  To detect whether an NVIDIA driver is used I copied the glplatform from
  KWin which is known to work and more reliable than writing new custom
  code even if it's a code copy. For master I'll look into splitting that
  one out from KWin and putting it into a dedicated library so that we can
  link it.
  
  This of course means that the seccomp based sandbox is now incomplete
  for NVIDIA users. An idea is to add an additional apparmor rule in
  master to enforce the write restrictions in similar way without forcing
  it for /dev.
  
  BUG: 384005

TEST PLAN
  I don't have an NVIDIA

REPOSITORY
  R133 KScreenLocker

BRANCH
  nvidia-seccomp

REVISION DETAIL
  https://phabricator.kde.org/D7616

AFFECTED FILES
  greeter/CMakeLists.txt
  greeter/autotests/CMakeLists.txt
  greeter/autotests/seccomp_test.cpp
  greeter/kwinglplatform.cpp
  greeter/kwinglplatform.h
  greeter/seccomp_filter.cpp

To: graesslin, #plasma
Cc: plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, \
abetts, sebas, apol, mart, lukas


[Attachment #3 (unknown)]

<table><tr><td style="">graesslin created this revision.<br />Restricted Application \
added a project: Plasma.<br />Restricted Application added a subscriber: \
plasma-devel. </td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px \
8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; \
background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); \
display: inline-block; border: 1px solid rgba(71,87,120,.2);" \
href="https://phabricator.kde.org/D7616" rel="noreferrer">View \
Revision</a></tr></table><br /><div><strong>REVISION SUMMARY</strong><div><p>The \
latest NVIDIA driver crashes the greeter due to our seccomp enabled<br /> sandbox \
being too restrictive. The driver is now opening files for<br /> writing after our \
dummy context got created and this causes a crash. In<br /> order to provide our \
users a working system again we better disable the<br /> seccomp rule for NVIDIA \
users for the time being.</p>

<p>To detect whether an NVIDIA driver is used I copied the glplatform from<br />
KWin which is known to work and more reliable than writing new custom<br />
code even if it&#039;s a code copy. For master I&#039;ll look into splitting that<br \
/> one out from KWin and putting it into a dedicated library so that we can<br />
link it.</p>

<p>This of course means that the seccomp based sandbox is now incomplete<br />
for NVIDIA users. An idea is to add an additional apparmor rule in<br />
master to enforce the write restrictions in similar way without forcing<br />
it for /dev.</p>

<p>BUG: 384005</p></div></div><br /><div><strong>TEST PLAN</strong><div><p>I \
don&#039;t have an NVIDIA</p></div></div><br \
/><div><strong>REPOSITORY</strong><div><div>R133 KScreenLocker</div></div></div><br \
/><div><strong>BRANCH</strong><div><div>nvidia-seccomp</div></div></div><br \
/><div><strong>REVISION DETAIL</strong><div><a \
href="https://phabricator.kde.org/D7616" \
rel="noreferrer">https://phabricator.kde.org/D7616</a></div></div><br \
/><div><strong>AFFECTED FILES</strong><div><div>greeter/CMakeLists.txt<br /> \
greeter/autotests/CMakeLists.txt<br /> greeter/autotests/seccomp_test.cpp<br />
greeter/kwinglplatform.cpp<br />
greeter/kwinglplatform.h<br />
greeter/seccomp_filter.cpp</div></div></div><br /><div><strong>To: \
</strong>graesslin, Plasma<br /><strong>Cc: </strong>plasma-devel, ZrenBot, \
progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart, \
lukas<br /></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic