On fre, 2014-11-28 at 16:07 +0100, Alexander Larsson wrote: > * OpenGL > > There is no opengl yet in the base image, and making this work will > be a lot of work, since mesa uses udev and dri devices, relies on > particular kernel/Xorg drivers, etc. It also needs to be replacable > easily as the way you install a different gl driver is to replace the > entire GL library. > > Mesa is also pretty unsafe in terms of sandboxing for anything before > DRI3, as DRI2 buffer handles are global and guessable. Dunno about > e.g. nvidia. > > This will require a lot of ad-hoc work, and probably some setup to > replace part of a runtime with another sub-runtime.
I've been looking a bit at OpenGL support. The way the mesa (DRI) drivers work is that there are device nodes in /dev/dri, which have rights such that the user can open them (typically by being in the video group, or due to the system setting acls on them for the currently logged in user). These nodes are "safe" to expose as they don't give any raised privileges on open. Operations that are unsafe generally have to be authenticated in some way first. However, there are still some security issues here. The DRI2 driver APIs use global guessable 32bit handles (from gem_flink) for buffers, so anyone can read anyones buffers. This is solved with DRI3 which uses fd passing instead of int handles. Obviously, this is kind of uninteresting atm as I'm currently targeting X11 apps which is completely unsecure in this sense anyway. However, when we later switch to wayland and sandboxing we need to ship *only* DRI3 drivers, and assume the host supports these. To make the drivers work the runtime bind mounts the host /dev/dri into the container. This will work for the dri drivers, but I guess we needs to also take a look at e.g. the nvidia drivers and the amd drivers to see what devices they use, how safe they are to expose, and them mount them in too. I added a build of mesa to gnome-sdk-images which installs all the libraries into /usr/lib/GL, with symlinks in /usr/lib, so that building and running apps against the libs and headers in the SDK work, but we can also easily bind-mount a replacement GL implementation (like e.g. the nvidia drivers) over it, completely shadowing the mesa implementation. _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
