marfrit/libva-multiplanar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

iter5 amendment: extend Firefox sandbox patch to UtilitySandboxPolicy

Browse Source 
Real-world YouTube avc1 playback on the iter5-G binary surfaced a
seccomp violation (`syscall 29`, `0x80047C05` = `MEDIA_IOC_REQUEST_ALLOC`)
that the autonomous Phase 7G test missed because seccomp returns
ENOSYS silently and Firefox falls back to SW decode.

Two distinct gaps:
- patch-sync drift: campaign 113-line patch (broker+RDD-seccomp) had
  drifted from container 84-line patch (broker only); iter5-G shipped
  with the broker fix but no RDD seccomp fix.
- coverage gap: FF150 routes VAAPI to the Utility process; iter3's
  RDD-only seccomp allowlist never covered Utility.

Combined patch now hits three gates across two files (six hunks):
- broker: cap-filter widen + AddV4l2RequestApiDependencies + RDD wire-in
- RDD seccomp: kMediaType allow alongside existing kVideoType
- Utility seccomp: new __NR_ioctl override mirroring RDD's allowlist

Build: incremental `makepkg -e` on existing iter5-G object tree took
2:22 wall vs the 2h27m from-scratch alternative.

phase8_iteration5_close.md: appended amendment section with verdict-
gap analysis, patch breakdown, deploy-pending status.

firefox-fourier/README.md: rewrote "The problem" from 2 gates to 3
(broker + RDD seccomp + Utility seccomp); patch summary now explains
the six hunks.

Pending: pkg deploy to ohm + lsof /dev/video1 verification once
network route to ohm is restored.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude (noether)
2026-05-05 19:20:30 +00:00
parent 067a221bc6
commit d2d9107e62
3 changed files with 151 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
firefox-fourier/README.md
+7 -4
View File
@@ -4,11 +4,13 @@ Lets Firefox 150 hardware-decode H.264 video on Linux V4L2-stateless decoders (R
## The problem
Stock Firefox 150 (and earlier) blocks V4L2 stateless decoders inside the RDD process sandbox in two places:
Stock Firefox 150 (and earlier) blocks V4L2 stateless decoders in **three** places — the broker (1 location, two gates) and the seccomp filter (two process classes):
1. **Broker policy** (`security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp`): `AddV4l2Dependencies()` filters `/dev/video*` by `VIDEO_M2M | VIDEO_M2M_MPLANE` capability. Stateless decoders advertise `CAPTURE_MPLANE + OUTPUT_MPLANE + STREAMING` but typically not M2M, so `/dev/video1` is silently dropped. And `GetRDDPolicy()` never references `/dev/media*` at all — the V4L2 request API (`MEDIA_REQUEST_IOC_QUEUE` et al), required for stateless decode, lives on `/dev/media*` nodes the broker won't open from RDD.
2. **Seccomp policy** (`security/sandbox/linux/SandboxFilter.cpp`): `RDDSandboxPolicy::EvaluateSyscall`'s ioctl handler allowlists ioctl magic byte `'V'` (V4L2) but not `'|'` (`<linux/media.h>`). Even after broker permits the open, the kernel ioctl path is filtered, returning ENOSYS (silent — Mozilla's seccomp uses `SECCOMP_RET_ERRNO`, not SIGSYS).
2. **RDD seccomp** (`security/sandbox/linux/SandboxFilter.cpp`, `RDDSandboxPolicy::EvaluateSyscall`): the ioctl handler allowlists ioctl magic byte `'V'` (V4L2) but not `'|'` (`<linux/media.h>`). Even after the broker permits the open, the kernel ioctl path is filtered, returning ENOSYS (silent — Mozilla's seccomp uses `SECCOMP_RET_ERRNO`, not SIGSYS).
3. **Utility seccomp** (`security/sandbox/linux/SandboxFilter.cpp`, `UtilitySandboxPolicy::EvaluateSyscall`): since Firefox ~114, much of the VAAPI decode work runs in the Utility process, not RDD. `UtilitySandboxPolicy` does not override `__NR_ioctl` and falls through to `SandboxPolicyCommon`, which blocks DRM (`'d'`), DMA-Buf (`'b'`), V4L2 (`'V'`), and media-controller (`'|'`) magic bytes — all four are needed for stateless decode end-to-end. Empirically: `MEDIA_IOC_REQUEST_ALLOC` (`_IOR('|', 0x05, int)`) returns ENOSYS even with RDD fully patched.
Existing M2M-stateful decoders work (per Mozilla bugs 1833354 / 1965646); stateless never did.
@@ -34,12 +36,13 @@ OK for personal-machine use; **not** OK for production / hostile environments.
Apply [`0001-rdd-allow-stateless-v4l2-request-api.patch`](0001-rdd-allow-stateless-v4l2-request-api.patch) to firefox-150.0.1 source.
The patch:
The patch (six hunks across two files):
1. Widens `AddV4l2Dependencies` cap filter to admit nodes with `(CAPTURE_MPLANE & OUTPUT_MPLANE & STREAMING)` for stateless decoders.
2. Adds a new `AddV4l2RequestApiDependencies()` that enumerates `/dev/media*` and adds each rdwr to the RDD broker policy.
3. Adds ioctl magic byte `'|'` (linux/media.h) to `RDDSandboxPolicy`'s seccomp allowlist alongside the existing `'V'`.
4. Adds an explicit `case __NR_ioctl:` to `UtilitySandboxPolicy::EvaluateSyscall` mirroring RDD's allowlist (`'d'` DRM, `'b'` DMA-Buf, `'V'` V4L2, `'|'` linux/media.h) — required because FF150 routes VAAPI work to the Utility process and the common policy blocks all four magic bytes.
Tested on hantro G1 (Rockchip RK3568 / PineTab2) running bbb_1080p30 H.264 with full sandbox enabled. ENETDOWN gone, libva initializes inside RDD, decode reaches end-of-stream.
Tested on hantro G1 (Rockchip RK3568 / PineTab2) running bbb_1080p30 H.264 with full sandbox enabled. ENETDOWN gone, libva initializes in the Utility process, `MEDIA_IOC_REQUEST_ALLOC` succeeds, decode reaches end-of-stream.
## Build instructions (Arch / ALARM)