Differential D290523

Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r?stransky
ClosedPublic
Actions

Authored by tboiko on Mar 27 2026, 4:48 PM.

Details

Reviewers

jld

Commits

rFIREFOXAUTOLANDe5f8199fc247: Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r=jld

Bugzilla Bug ID

2021722

Summary

Sandbox:

Allow required syscalls and broker paths for Vulkan video in the RDD process (seccomp and filesystem broker policy updates for drivers, sockets, and related resources).

Diff Detail

Repository: rFIREFOXAUTOLAND firefox-autoland

Event Timeline

tboiko created this revision.Mar 27 2026, 4:48 PM

Herald added a project: secure-revision. · View Herald TranscriptMar 27 2026, 4:48 PM

phab-bot published this revision for review.Mar 27 2026, 4:48 PM

phab-bot changed the visibility from "Custom Policy" to "Public (No Login Required)".

phab-bot changed the edit policy from "Custom Policy" to "Restricted Project (Project)".

phab-bot removed a project: secure-revision.

Herald added a subscriber: jld. · View Herald TranscriptMar 27 2026, 4:48 PM

reviewbot added a subscriber: reviewbot.Mar 27 2026, 5:16 PM

Comment Actions

The analysis task source-test-clang-tidy failed, but we could not detect any defect.
Please check this task manually.

The analysis task source-test-clang-format failed, but we could not detect any defect.
Please check this task manually.

The analysis task source-test-clang-external failed, but we could not detect any defect.
Please check this task manually.

If you see a problem in this automated review, please report it here.

Harbormaster failed remote builds in B937802: Diff 1235358!Mar 27 2026, 5:16 PM

tboiko updated this revision to Diff 1235538.Mar 27 2026, 7:33 PM

reviewbot added a comment.Mar 27 2026, 7:49 PM

Comment Actions

The analysis task source-test-clang-external failed, but we could not detect any defect.
Please check this task manually.

The analysis task source-test-clang-tidy failed, but we could not detect any defect.
Please check this task manually.

The analysis task source-test-clang-format failed, but we could not detect any defect.
Please check this task manually.

If you see a problem in this automated review, please report it here.

Harbormaster failed remote builds in B937927: Diff 1235538!Mar 27 2026, 7:49 PM

stransky added a reviewer: jld.Mar 28 2026, 8:49 AM

stransky removed a reviewer: stransky.Mar 30 2026, 5:50 PM

Coelacanthus added a subscriber: Coelacanthus.Apr 8 2026, 8:27 AM

Comment Actions

May be is needed in as well?

tboiko updated this revision to Diff 1243532.Apr 8 2026, 10:23 AM

tboiko added a comment.Apr 8 2026, 10:24 AM

Comment Actions

OK, added /usr/share/vulkan/icd.d to AddVulkanDependencies() as well

reviewbot added a comment.Apr 8 2026, 10:50 AM

Comment Actions

The analysis task source-test-clang-external failed, but we could not detect any defect.
Please check this task manually.

The analysis task source-test-clang-tidy failed, but we could not detect any defect.
Please check this task manually.

The analysis task source-test-clang-format failed, but we could not detect any defect.
Please check this task manually.

If you see a problem in this automated review, please report it here.

Harbormaster failed remote builds in B943904: Diff 1243532!Apr 8 2026, 10:50 AM

tboiko updated this revision to Diff 1257428.Apr 24 2026, 11:09 AM

reviewbot added a comment.Apr 24 2026, 11:36 AM

Comment Actions

Code analysis found 6 defects in diff 1257428:

6 build errors found by clang-tidy

IMPORTANT: Found 6 defects (error level) that must be fixed before landing.

You can run this analysis locally with:

(C/C++)

If you see a problem in this automated review, please report it here.

You can view these defects in the Diff Detail section of Phabricator diff 1257428.

Harbormaster failed remote builds in B954836: Diff 1257428!Apr 24 2026, 11:36 AM

tboiko updated this revision to Diff 1262357.Apr 29 2026, 10:18 PM

reviewbot added a comment.Apr 29 2026, 10:44 PM

Comment Actions

Code analysis found 6 defects in diff 1262357:

6 build errors found by clang-tidy

IMPORTANT: Found 6 defects (error level) that must be fixed before landing.

You can run this analysis locally with:

(C/C++)

If you see a problem in this automated review, please report it here.

You can view these defects in the Diff Detail section of Phabricator diff 1262357.

Harbormaster failed remote builds in B958698: Diff 1262357!Apr 29 2026, 10:45 PM

tboiko updated this revision to Diff 1267103.May 5 2026, 10:21 PM

reviewbot added a comment.May 5 2026, 10:40 PM

Comment Actions

Code analysis found 6 defects in diff 1267103:

6 build errors found by clang-tidy

IMPORTANT: Found 6 defects (error level) that must be fixed before landing.

You can run this analysis locally with:

(C/C++)

If you see a problem in this automated review, please report it here.

You can view these defects in the Diff Detail section of Phabricator diff 1267103.

Harbormaster failed remote builds in B962537: Diff 1267103!May 5 2026, 10:41 PM

tboiko updated this revision to Diff 1273722.May 13 2026, 11:15 AM

tboiko updated this revision to Diff 1275693.May 15 2026, 12:33 PM

Harbormaster completed remote builds in B969237: Diff 1275693.May 15 2026, 1:04 PM

tboiko added a comment.May 15 2026, 11:24 PM

Comment Actions

@jld , can you please take a look? I have fixed all the comments as above

jld requested changes to this revision.Thu, May 21, 5:27 AM

Comment Actions

I'm concerned about the security implications of the rules. Hopefully there's a way to reduce those to something safer. If that's not possible, then at a minimum I'd like to make those rules conditional on detecting the hardware in question.

security/sandbox/linux/SandboxFilter.cpp
2154	should be handled in as . But also, why do we need this? This patch isn't allowing or , so I assume this would only be for setting the source address on an outgoing connection, but I don't think that will work with the brokered (it receives a new socket from the broker and s over the old one). For the same reason, it's probably harmless to allow , but I wonder if this is really doing what it was meant to.
2160–2162	I believe won't ever be null, so this should be deleted. (Also, allowing and unconditionally would be a significant hole in the sandbox.)
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
917–928	This seems to be dead code?
932–935	This adds a number of sandbox escapes. The X11 server is the most obvious one, but I believe unrestricted DBus access is also a sandbox escape, and that rule also includes PulseAudio (accepts commands to arbitrary files), , etc., various other things that probably aren't expecting hostile input from a same-uid client. Is it really necessary to allow all of this, given that VA-API didn't need it? Would it be possible to narrow these rules and/or move some of the initialization before starting the sandbox, to avoid needing to do this?

This revision now requires changes to proceed.Thu, May 21, 5:27 AM

tboiko requested review of this revision.Thu, May 21, 11:04 AM

tboiko updated this revision to Diff 1279744.

tboiko added a comment.Thu, May 21, 11:08 AM

Comment Actions

Done, the vulkan decoding works with these changes at my side.

security/sandbox/linux/SandboxFilter.cpp
2154	removed this. it works without it.
2160–2162	removed this. it works without it
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
917–928	removed this. yes, this code is unused
932–935	removed this. it works without it

Harbormaster completed remote builds in B972331: Diff 1279744.Thu, May 21, 11:31 AM

tboiko updated this revision to Diff 1281197.Fri, May 22, 4:21 PM

tboiko added a subscriber: stransky.Fri, May 22, 4:30 PM

Comment Actions

OK, updated

security/sandbox/linux/SandboxFilter.cpp
2154	@jld, actually, I remember @stransky reported a seccomp sandbox violation without "bind": https://phabricator.services.mozilla.com/D286552#10063337 So, it would be better to keep it in EvaluateSocketCall as SYS_BIND instead of removing, like you suggested

Harbormaster completed remote builds in B973423: Diff 1281197.Fri, May 22, 4:52 PM

jld accepted this revision.Thu, Jun 4, 5:13 AM

jld added a project: testing-exception-elsewhere (Please comment explaining where the tests are).

Comment Actions

r+, modulo some minor comments.

Testing note: I assume that existing video tests will provide coverage for this if run on a suitable system. (In general this is kind of difficult for CI because of needing specific real hardware; if I recall correctly Mozilla CI has some coverage for WebGL but not for VA-API support, although that may have changed since I last tried to look into it.)

security/sandbox/linux/SandboxFilter.cpp
1975	If there's no more , you should be able to drop the as well.
2022	You could see if this works with or something like that; if not, the is fine as previously discussed.
2027–2029	See above re .

This revision is now accepted and ready to land.Thu, Jun 4, 5:13 AM

tboiko updated this revision to Diff 1291889.Thu, Jun 4, 10:55 AM

tboiko added a comment.Thu, Jun 4, 10:59 AM

Comment Actions

OK, updated as per the minor comments above
Thank you for the review

security/sandbox/linux/SandboxFilter.cpp
1975	OK, removed
2022	Modified as above, works for me
2027–2029	OK, removed

Harbormaster completed remote builds in B981331: Diff 1291889.Thu, Jun 4, 11:17 AM

Closed by commit rFIREFOXAUTOLANDe5f8199fc247: Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r=jld (authored by tboiko, committed by stransky). · Explain WhyThu, Jun 4, 1:40 PM

This revision was automatically updated to reflect the committed changes.

stransky added a commit: rFIREFOXAUTOLANDe5f8199fc247: Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r=jld.

stransky mentioned this in rFIREFOXBETAe5f8199fc247: Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r=jld.Mon, Jun 15, 12:39 PM

Revision Contents
Changeset List

Path

Size

security/

sandbox/

linux/

SandboxFilter.cpp

34 lines

broker/

SandboxBrokerPolicyFactory.cpp

56 lines

Commit	Tree	Parents	Author	Summary	Date
e5f8199fc247	97837a4fbb1b	Tymur Boiko	Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r=jld (Show More…)

	Status	Author
Closed	tboiko	D296451 Bug 2021722 - MOZ/GTK - Fix DRM_FORMAT_MOD_INVALID redefinition in DMABufFormats.cpp. r?stransky
Closed	tboiko	D290523 Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r?stransky
Closed	tboiko	D290522 Bug 2021722 - DOM Media - FFmpeg Vulkan Video decode in RDD. r?stransky
Closed	tboiko	D290521 Bug 2021722 - GFX - GL/EGL, layers, and compositor IPC for Vulkan video. r?stransky
Closed	tboiko	D290520 Bug 2021722 - MOZ/GTK - Prefs, packaging, configure, and GTK platform hooks for Vulkan video. r?stransky

D294277 Bug 2031816 - Rename calls to nspr in mozilla-central.
·Reviewers: decoder, sergesanspaille, geckoview-reviewers, extension-reviewers, application-update-reviewers, credential-management-reviewers, webrtc-reviewers, ...
Fri, Jun 12, 11:02 AM
Author: kaie
D306340 Bug 2046954 - Sandbox - Fix RDD Vulkan sandbox policy for display server access. r=jld,stransky
·Reviewers: jld
Fri, Jun 12, 5:53 AM
Author: tboiko
D268412 Bug 1940906 - Sandbox policy for the HWInference utility process. r?haik
·Reviewers: haik
Wed, Jun 3, 3:16 PM
Author: padenot
D298100 Bug 2036402 - Apply std::move in security where values can be moved instead of copied r?#firefox-static-analysis-reviewers
·Reviewers: Restricted Project, sergesanspaille, keeler, jld
Thu, May 28, 12:50 PM
Author: sylvestre

Diff 1292039

View Options

security/sandbox/linux/SandboxFilter.cpp

View Options

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp

Privacy · Cookies · Legal

URL: https://phabricator.services.mozilla.com/D290523

⇱ ⚙ D290523 Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r?stransky

Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r?stransky
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 1292039

security/sandbox/linux/SandboxFilter.cpp

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp

URL: https://phabricator.services.mozilla.com/D290523

⇱ ⚙ D290523 Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r?stransky

Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r?stranskyClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 1292039

security/sandbox/linux/SandboxFilter.cpp

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp

Bug 2021722 - Sandbox - RDD sandbox policy for Vulkan video. r?stransky
ClosedPublic
Actions

Revision Contents
Changeset List