Bug 648728

Summary:	[Tracker] virtual/opencl providers should set SANDBOX_PREDICT or SANDBOX_WRITE in /etc/sandbox.d/99opencl
Product:	Gentoo Linux	Reporter:	Dennis Schridde <dschridde+gentoobugs>
Component:	Current packages	Assignee:	Gentoo X packagers <x11>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	o.freyermuth, sam
Priority:	Normal	Keywords:	Tracker
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=580208
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	580208, 648726

Description Dennis Schridde 2018-02-24 19:37:47 UTC

Packages that use OpenCL during build (e.g. those utilising media-gfx/imagemagick or media-gfx/graphicksmagick, including those bundling them, but also sci-geosciences/qgis-3.0.0 via pyuic wrapper) will attempt to access /dev/dri/render* during build, which will cause a build failure due to sandbox violations.

If the render nodes were listed in SANDBOX_PREDICT in a new /etc/sandbox.d/99opencl file, this would be fixed.

See-Also: https://bugs.gentoo.org/580208
See-Also: https://bugs.gentoo.org/648726

Comment 1 Dennis Schridde 2018-02-24 19:44:10 UTC

/dev/dri/render* is actually 0666 on my system, which should be safe as the interface was designed to allow only rendering, as opposed to management and modesetting of the card as a whole.  Hence it appears to be safe to list it in SANDBOX_WRITE.

Comment 2 Dennis Schridde 2018-02-25 00:11:17 UTC

Since /etc/sandbox.d/ does not appear to support prefix matches or wildcard globs, every render node has to be explicitly listed in SANDBOX_WRITE.  Could this be automated through a udev rule generating the /etc/sandbox.d/99opencl file?  That should then even cover hotplugged devices.