Don't dissallow open with write flag syscall on NVIDIA
ClosedPublic

Authored by graesslin on Aug 30 2017, 4:50 PM.

Details

Summary

The latest NVIDIA driver crashes the greeter due to our seccomp enabled
sandbox being too restrictive. The driver is now opening files for
writing after our dummy context got created and this causes a crash. In
order to provide our users a working system again we better disable the
seccomp rule for NVIDIA users for the time being.

To detect whether an NVIDIA driver is used I copied the glplatform from
KWin which is known to work and more reliable than writing new custom
code even if it's a code copy. For master I'll look into splitting that
one out from KWin and putting it into a dedicated library so that we can
link it.

This of course means that the seccomp based sandbox is now incomplete
for NVIDIA users. An idea is to add an additional apparmor rule in
master to enforce the write restrictions in similar way without forcing
it for /dev.

BUG: 384005

Test Plan

I don't have an NVIDIA

Diff Detail

Repository
R133 KScreenLocker
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
graesslin created this revision.Aug 30 2017, 4:50 PM
Restricted Application added a project: Plasma. · View Herald TranscriptAug 30 2017, 4:50 PM
Restricted Application added a subscriber: plasma-devel. · View Herald Transcript

@jriddell, @davidedmundson: due to the urgency of the problem I would like to have an emergency release of kscreenlocker 5.10 branch as soon as this is pushed.

You said on your blog you also saw this crash in kwin.

If it's seccomp, how can that be the case?

davidedmundson accepted this revision.Aug 30 2017, 6:06 PM

Just read the upstream report with the upstream nvidia guy saying it's caused by this.

Seems fine. I'll make a new tarball whenever. Do you want to wait till some tester tests it?

This revision is now accepted and ready to land.Aug 30 2017, 6:06 PM

You said on your blog you also saw this crash in kwin.

If it's seccomp, how can that be the case?

Yes, that's why I thought it's not seccomp related.

Just read the upstream report with the upstream nvidia guy saying it's caused by this.

Seems fine. I'll make a new tarball whenever. Do you want to wait till some tester tests it?

yes, I'd say I give it 24 h to have someone test it. So push on Thursday evening with release on Friday?

Someone tested, will respin first thing tomorrow.

This revision was automatically updated to reflect the committed changes.

Users of LTS might get a new nvidia driver too.
Maybe worth cherry-picking.

Users of LTS might get a new nvidia driver too.
Maybe worth cherry-picking.

the problematic code is new in 5.10, so not an issue (luckily)