From 4a7a07e0f45470fcc174a1ae5bd1d5449b43effc Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Tue, 5 May 2026 12:56:49 +0000
Subject: [PATCH] =?UTF-8?q?iter3=20Fix:=20select()=20=E2=86=92=20poll()=20?=
 =?UTF-8?q?in=20media=5Frequest=5Fwait=5Fcompletion?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Firefox's RDD seccomp common policy admits poll/ppoll/epoll_* but does
NOT admit select/pselect6. Under the iter3 sandbox-patched RDD process,
our select(except_fds) call returned ENOSYS (Mozilla's seccomp uses
SECCOMP_RET_ERRNO with ENOSYS for filtered syscalls — not SIGSYS),
killing libva decode after just one BeginPicture.

poll(POLLPRI) is functionally equivalent for waiting on the media
request fd's exceptional-condition completion signal, and lives
inside a syscall family Mozilla's sandbox already permits. Driver-side
fix preferred over expanding Firefox's seccomp surface — smaller blast
radius, portable across sandbox policies, and poll() is the modern API.

Verified iter3 Phase 7 on ohm: with this change in place plus the
firefox-fourier broker + seccomp ioctl '|' patches, Firefox decodes
through libva inside the sandboxed RDD without MOZ_DISABLE_RDD_SANDBOX=1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/media.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/media.c b/src/media.c
index e3a1bcc..7bf2cc8 100644
--- a/src/media.c
+++ b/src/media.c
@@ -26,7 +26,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/ioctl.h>
-#include <sys/select.h>
+#include <poll.h>
 
 #include <linux/media.h>
 
@@ -78,19 +78,19 @@ int media_request_queue(int request_fd)
 
 int media_request_wait_completion(int request_fd)
 {
-	struct timeval tv = { 0, 300000 };
-	fd_set except_fds;
+	/* poll() instead of select(): Firefox's RDD seccomp policy admits
+	 * poll/ppoll but not select/pselect6 (as of FF150). Functionally
+	 * equivalent here — the media request fd signals completion via
+	 * exceptional condition, mapped to POLLPRI for poll(). */
+	struct pollfd pfd = { .fd = request_fd, .events = POLLPRI };
 	int rc;
 
-	FD_ZERO(&except_fds);
-	FD_SET(request_fd, &except_fds);
-
-	rc = select(request_fd + 1, NULL, NULL, &except_fds, &tv);
+	rc = poll(&pfd, 1, 300 /* ms */);
 	if (rc == 0) {
 		request_log("Timeout when waiting for media request\n");
 		return -1;
 	} else if (rc < 0) {
-		request_log("Unable to select media request: %s\n",
+		request_log("Unable to poll media request: %s\n",
 			    strerror(errno));
 		return -1;
 	}